作者通过使用Google Dorking技术在印度政府网站上发现多个安全漏洞,包括SQL注入和反射型XSS,并成功向CERT-In报告并修复这些问题。 2025-12-15 07:47:57 Author: infosecwriteups.com(查看原文) 阅读量:3 收藏
Press enter or click to view image in full size
Introduction:
Getting recognized by CERT-In (Indian Computer Emergency Response Team) is a milestone for many bug bounty hunters and security researchers in India.
I recently achieved this milestone twice.
What’s funny is that it didn’t require zero-days or deep exploit development. It all began with the simplest tool in a researcher’s kit: a search engine.
Phase 1: The Reconnaissance (Google Dorking on Steroids)
Every good hunt starts with reconnaissance. When you’re looking at a huge scope like *.gov.in, brute-forcing or mass scanning is the worst approach. You need a clear attack surface first.
Hence, I used Google dorking, the art of using advanced search operators to find information that isn’t readily visible to the average user.
I crafted a specific list of dorks aimed at uncovering sensitive files, configuration errors, and admin panels within the government domain.
Broad Scope & Infrastructure:
site:*gov.in
site:*gov.in/robots.txt
site:*gov.in/sitemap.xml
site:*gov.in/*.jsJuicy File Extensions (Information Disclosure):
site:*gov.in filetype:pdf
site:*gov.in filetype:xlsx OR filetype:xls
site:*gov.in (filetype:zip OR filetype:tar OR filetype:gz OR filetype:sql)Pro Tip: Keeping track of these dorks can be tedious. I keep all my best dorks and checklists organized over at recon.vulninsights.codes. Feel free to use it to build your own bug bounty checklist.
Phase 2: Striking Gold
After running through these dorks, I started sifting through the results. It involves a lot of scrolling past irrelevant data, but eventually, something catches your eye.
I was looking for URLs with parameters , those little ?id=123 bits at the end of a link. Parameters are often where user input meets the backend database, making them prime targets for injection attacks.
Two sites caught my eye:
https://[redacted].gov.in/testimonial.php?lang=2&lid=2464
https://[redacted].gov.in/search.php?page=14&fromdate=26-04-2024&todate=27-04-2024&state_name=35%20OR%201=1%20&circle=&division=&range=&block=&beat=&source=Multiple parameters in a government site? Yes, that’s basically a “please test me” invitation.
Phase 3: The Exploitation
I started with the basics: checking for client-side issues. And boom, reflected XSS popped up almost instantly.
But then it got more interesting.
While poking the lang and state_name parameter, the responses began acting weird. Errors changed. Pages broke.
A few crafted payloads later, it was confirmed:
Get Het Patel’s stories in your inbox
Join Medium for free to get updates from this writer.
The endpoint was vulnerable to SQL Injection.
CERT-In Hall of fame:
My reports were validated, patched, and acknowledged.
September 2025:
Press enter or click to view image in full size
October 2025:
Press enter or click to view image in full size
Some of findings:
2 SQL Injection:
Press enter or click to view image in full size
Press enter or click to view image in full size
Several PHPInfo (Information disclosure):
Press enter or click to view image in full size
Press enter or click to view image in full size
如有侵权请联系:admin#unsafe.sh