Hi hackers,

My name is Krishnadev P Melevila, To know more about me, Just search “Who is Krishnadev P Melevila” On Google or Ask your Google Assistant.

Vulnerability: IDOR

Impact: Critical

Risks:
1. Attacker can view PII (Personally Identifiable Information) and other sensitive details of users including ID proofs, Aadhar Cards, Photo, Signature etc…

Priority: P0

So, Let’s start:

Disclaimer: Important Security Notice

As an ethical and responsible researcher, I want to clarify that the content provided in my blog, including any write-ups, is solely intended for educational and informational purposes. The purpose is to raise awareness about cybersecurity and the significance of identifying vulnerabilities to strengthen digital defenses.

I strictly condemn and do not promote any illegal activities, including hacking, unauthorized access, or any form of cyber-attacks.

If, during my research, I happen to discover any potential vulnerabilities in websites belonging to NIC (National Informatics Centre) or any other organization, I commit to following ethical disclosure practices. This entails promptly reporting the identified vulnerability to the concerned authorities, such as NCIIPC (National Critical Information Infrastructure Protection Centre) or CERT-In (Indian Computer Emergency Response Team).

My primary goal is to contribute positively to the cybersecurity community and assist in creating a safer online environment for everyone. Together, we can build a more secure cyberspace by addressing vulnerabilities responsibly and adhering to the principles of ethical hacking.

Thank you for your understanding and support in maintaining the integrity and security of the digital landscape.

Steps to reproduce as in attackers POV:

1. Visit https://saralsanchar.gov.in/ and register for a
account as an attacker and login to that.

2. Click on WPC apply now

3. Select the Amateur Station Exam and click go

4. Do the basic steps (Fill with attackers fake details) and
click on save draft

5. Now go back and click previous applications

6. Now click on attachment icon and intercept it’s request
using any web interception tool like Burpsuite.

POST /wpc_new/wpc_reports/get_exam_appln_details_for_dashboard.php
HTTP/1.1
Host: saralsanchar.gov.in
Cookie: SESSITPC=<REDACTED>
Content-Length: 40
Sec-Ch-Ua: “Google Chrome”;v=”111", “Not(A:Brand”;v=”8",
“Chromium”;v=”111"appid
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Sec-Ch-Ua-Mobile: ?0

The “appid” parameter is sequential in nature. So we
can guess the id. Now change the id in the above request and send it to the server.

we get the following details for each user we send:

But, we can’t download the files directly from here, the
download file URL is:

https://saralsanchar.gov.in/common/downloadFile.php?f=REDACTED.jpg

Here it downloads just an empty file, But if we use “downloadImage.php” module and changing the filename using the above table, we can
successfully download all the files listed on above table.

URL payload:

https://saralsanchar.gov.in/common/downloadImage.php
?img=<FileName_From_Above_Table_Here>

This is reported to NCIIPC and CERT-IN, NCIIPC Acknowledged the report and I reverified the vulnerability and it is not reproducable as of now.

My other bug reports: https://medium.com/@krishnadevpmelevila

Don’t forget to follow me on Medium and other social media. Also please give your 50 claps for this write-up and that’s my inspiration to write more!!

I need your support to write more, Buy me a coffee pls: https://www.buymeacoffee.com/krishnadevpm

My Instagram handle: https://instagram.com/krishnadev_p_melevila

My Twitter handle: https://twitter.com/Krishnadev_P_M

My LinkedIn handle: https://www.linkedin.com/in/krishnadevpmelevila/