I Hacked Every Single Staff Account on AirIndia within 1.5 Minutes :)

Staff Account takeover AirIndia

Hello Beautiful creative people, hope you’re doing great.

This is the continuation of “The Password Bypass Series”

So first of all let me clear a point, there will be some lines which you may don’t like so please don’t take it personal.

As my daily routine, I was at my shop with my Papa and a customer came who was showing off, he was telling me what he can do, he can hack and hacking is an Art (literally, I was like you know who I am :) but didn’t said anything to him.

After coming home, this small talk was keep coming in my mind again and again :\

then I thought let’s do something which will let him know who I really am :)

So I started googling programs (Indian), Then I thought let’s take a chance and target the AirIndia

But When I was searching Airindia’s bug bounty program I found this :|

No bounties for hackers ?

Which was very weird, Why they are no providing bounties or financial support, Then I told my self let’s do it only because of my pride my country “India” :)

After few minutes of recon, I found that most of airindia’s web-applications are running “IIS Windows” so I started to gather xss and sqlinjection parameters, but I didn’t found any xss or sqli.

So I thought let’s dig deeper, and I took one domain which was only for staff

“*.airindia.in”

tender staff login

So I tried Admin:Admin but it didn’t worked so I tried “admin’ or 1=1 — -” but It also didn’t worked, then I thought as the field says lets try some numbers so I tried 45848 as the staff number and admin as the password but no luck, then I pasted “admin’ or 1=1 — -” this in the password field and I was logged in

dashboard

I was like :

I don’t know what happend

Then I tried multiple random staff no and It worked every time… :)

And my hacker mood was dancing like this :)

Success

After poking around I found that it is indeed a critical one, I was able to add tenders.

After trying multiple times I still didn’t believed that I bypassed the login of Airindia, so I invited a very good friend Harsh banshpal

And he told me to report it at cert-in.org.in and we did reported it.

And they told me this :

cert-in reply

And after 1 week when I was working on this writeup I found that they fixed the bug, but didn’t informed which was annoying :|

timeline :

Reported the issue: Thu, Jan 27, 4:02 PM

Cert-in Reply : Fri, Jan 28, 11:25 AM

fix : withing 5 days

There wasn’t any transparency during the vulnerability assessment, which I didn’t expected.

if you like this article, make sure to give a clap and do follow us on

linkedin :

ME:

Saransh Saraf - Bug Bounty hunter - Self-employed | LinkedIn

Harsh:

https://www.linkedin.com/in/harshbanshpal

Instagram :

https://www.instagram.com/sarans0x00h/

https://www.instagram.com/harsh_ban_/

Happy hunting and keep growing hackers :)