I still haven’t been able to write a proper blog post about my Smart India Hackathon (SIH) experience.
we finally Won 🥳
Then after more than a month, we all received an email from AICTE saying that our SIH Certificates were ready! 🤩🤩
So I went ahead and downloaded my certificate. Take a look 🤩
But, I ain’t writing this post just to show off my achievement 😛🤷♂️
After downloading the certificate,
I crawled through the site in & out and managed to find few vulnerabilities.
This post only contains info. about the major one.
Severity of vulnerability: High
Time: 5 min approx. (yeah, i know 🤷♂️)
Technique: SQL Injection (Noob level 😒)
The certificate server had receiving endpoints in “?id=” format & then this happened 👇
As you can see,
I’m inside their Database and have complete access to the information.
I saved all the data from all the ‘tables’ in that DB to a csv file to observe more (can’t show user info. here) & found all the details of the participants, winners, which team won, which participated, mentor details, evaluator details, etc.
Given few more hours,
I could simply alter the winning and participating teams, their winning status, change mentors, evaluators.
Basically, I could create a havoc in their system but rather chose to report the vulnerability 😎
They already took more than a month to build a certificate distribution server, could’ve taken a few more weeks to make it a lil bit more secure. 😁