Hello hackers, in this post i am going to tell how i found multiple vulnerabilities in government website
,and got acknowledged
After getting multiple duplicates at hackerone and private programs lately ,my moral was super down .I was feeling tremendously down ,so to keep my focus steady ,few days ago I started to look for government programs.
I know government sites are quite secured ,and a lot of researchers hunt on this sites everyday ,but there is a beauty ,as the scope is too large ,there are lot of government website ,and every month new sites come up ,so finding bug in government sites is not hard ,and chance of getting duplicate is low .So RVDP of NCIIPC can be your breakthrough in Bug Bounty.
So I went to look for sites which are new and chance of being not visited bug hunters. Just a few days ago ,one of my friend told that he got absence of SPF/DMARC record in a gov.in site . I didn’t ask further,as i never looked for this bugs as mostly they remain out of scope ,but beauty of government program is almost all valid bugs are considered to be in-scope ,doesn’t matter how low severity they are . Isn’t it good?
But somehow I also thought let’s see and So after a few mins of trial and error i found 3 sites where there is absence of SPF/DMARC records ,i reported it instantly ,but lemme tell you how to find this
Just visit https://www.kitterman.com/spf/validate.html and put the domain name of your target site and hit GET SPF RECORD (if any)
If it shows like this no valid SPF records found; that means there is no SPF record and you can report it. So after i got that I immediately reported it and after an hour I got this
After that i looked for a critical bug ,yea host header injection getting chance of it is pretty low but it’s there .I got it in one of the govt sites Pradhanmantri Yojna sites ,but after reporting they told it’s not a part of critical infrastructure ,so it’s not valid ,So after a long search i got this in the blog of another gov.in site blog.example.gov.in (take as example)
And i immediately reported it and after sometime i got this and i got both the bugs on the same day
Now recently i learned about xmlrpc bug ,so what is the thing? In lot of wordpress sites sometimes the admin or webmaster or dev forget to disable xmrpc.php file ,and enabling it may lead to DOS and scanning of internal network
So I used google dorks to look for sites in which xmlrpc.php is there ,and after immdiately i got result and it was gov.in site
So when i visted that site ,it shows something like this
I intercepted the request and send it to repeater ,after that i change the request method to POST and send the request. Boom I got 200 response
Now I added the following code and tried to observe the response
And I got 200 response ,and it listed all the methods available .and i noticed pingback.ping was there
Note: Now I also found wp.getUSERSBLOG ,and this can abused to perform a bruteforce attack
After that I fired up Burp Collaborator and tried to access internal server
So i added the following code in request and send
<value><string>http://<YOUR SERVER ></string></value>
<value><string>https://<blog from site></string></value>
Use Burp Collaborator payload in place of your server
And back in the collaborator client i got this
So abusing this attacker can scan the internal network
I used dorks to find if other govt sites are affected by it ,and i got 3-4 more sites ,so i made a report and reported all of them ,and after sometime i got this
So if you are a beginner and haven’t discovered any bugs yet ,this blog may uplift you from that disappointment.
So that’s all for today ,follow me on twitter https://twitter.com/AnonY0gi to get more exciting things related to cybersecurity and bug hunting