How I could have Hacked IIT Guwahati’s website.

This story is going to be about how I was able to hack the IIT Guwahati website.

Okay, another click-bait title to get you people to read my blog. Well, the title isn’t completely false either. And as you’ve already opened the story, let me tell you why a bug bounty program is necessary to your university or organisation taking this as an example.

So IITG has a complaint booking portal with a feature which allows the user to upload JPG or PNG files. It then checks for the file name extension. Which means if I try to upload a .php file it issues a warning saying only JPG and PNG files are allowed. But unfortunately it also processes the request which I thought was weird. To understand this better, you can watch the video embedded below.

POC video made to report
if(!Image):
Print Error
Process request

There it is, the vulnerability. Can you see it? The request is being processed irrespective of the error. That means the php file I uploaded was being written to the server. The fix was simple, they just have to make it something like this(add an else case).

if(!Image):
Print Error
else:
Process request

As you can see any script kiddie can try and upload a php shell whenever he sees a file upload action. In this case the web admin was actually checking the file type that is being uploaded (like JPG or PNG) but there was a minor mistake in the code which could have resulted in someone taking down the entire website or defacing it.

Since, IIT Guwahati had a Bug Bounty program, I used it to submit this issue and got it fixed before someone else could misuse it.

I also made another video where I could have added my own name to the Hall Of Fame. This write up is a part of my talk which I gave at IIT Guwahati during GCCS regional event on 10 Nov 2017.

Adding my own name to the Hall Of Fame page

Thank you for reading.

Peace :)