This story is going to be about how I was able to hack the IIT Guwahati website.
Okay, another click-bait title to get you people to read my blog. Well, the title isn’t completely false either. And as you’ve already opened the story, let me tell you why a bug bounty program is necessary to your university or organisation taking this as an example.
So IITG has a complaint booking portal with a feature which allows the user to upload JPG or PNG files. It then checks for the file name extension. Which means if I try to upload a .php file it issues a warning saying only JPG and PNG files are allowed. But unfortunately it also processes the request which I thought was weird. To understand this better, you can watch the video embedded below.
There it is, the vulnerability. Can you see it? The request is being processed irrespective of the error. That means the php file I uploaded was being written to the server. The fix was simple, they just have to make it something like this(add an else case).
As you can see any script kiddie can try and upload a php shell whenever he sees a file upload action. In this case the web admin was actually checking the file type that is being uploaded (like JPG or PNG) but there was a minor mistake in the code which could have resulted in someone taking down the entire website or defacing it.
Since, IIT Guwahati had a Bug Bounty program, I used it to submit this issue and got it fixed before someone else could misuse it.
I also made another video where I could have added my own name to the Hall Of Fame. This write up is a part of my talk which I gave at IIT Guwahati during GCCS regional event on 10 Nov 2017.
Thank you for reading.