I Hacked Every Single Staff Account on AirIndia within 1.5 Minutes :)

Saransh Saraf aka (MR23R0)
4 min readFeb 5, 2022
Staff Account takeover AirIndia

Hello Beautiful creative people, hope you’re doing great.

This is the continuation of “The Password Bypass Series”

So first of all let me clear a point, there will be some lines which you may don’t like so please don’t take it personal.

As my daily routine, I was at my shop with my Papa and a customer came who was showing off, he was telling me what he can do, he can hack and hacking is an Art (literally, I was like you know who I am :) but didn’t said anything to him.

After coming home, this small talk was keep coming in my mind again and again :\

then I thought let’s do something which will let him know who I really am :)

So I started googling programs (Indian), Then I thought let’s take a chance and target the AirIndia

But When I was searching Airindia’s bug bounty program I found this :|

No bounties for hackers ?

Which was very weird, Why they are no providing bounties or financial support, Then I told my self let’s do it only because of my pride my country “India” :)

After few minutes of recon, I found that most of airindia’s web-applications are running “IIS Windows” so I started to gather xss and sqlinjection parameters, but I didn’t found any xss or sqli.

So I thought let’s dig deeper, and I took one domain which was only for staff

“*.airindia.in”

tender staff login

So I tried Admin:Admin but it didn’t worked so I tried “admin’ or 1=1 — -” but It also didn’t worked, then I thought as the field says lets try some numbers so I tried 45848 as the staff number and admin as the password but no luck, then I pasted “admin’ or 1=1 — -” this in the password field and I was logged in

dashboard

I was like :

I don’t know what happend

Then I tried multiple random staff no and It worked every time… :)

And my hacker mood was dancing like this :)

Success

After poking around I found that it is indeed a critical one, I was able to add tenders.

After trying multiple times I still didn’t believed that I bypassed the login of Airindia, so I invited a very good friend Harsh banshpal

And he told me to report it at cert-in.org.in and we did reported it.

And they told me this :

cert-in reply

And after 1 week when I was working on this writeup I found that they fixed the bug, but didn’t informed which was annoying :|

timeline :

Reported the issue: Thu, Jan 27, 4:02 PM

Cert-in Reply : Fri, Jan 28, 11:25 AM

fix : withing 5 days

There wasn’t any transparency during the vulnerability assessment, which I didn’t expected.

if you like this article, make sure to give a clap and do follow us on

linkedin :

ME:

Harsh:

https://www.linkedin.com/in/harshbanshpal

Instagram :

https://www.instagram.com/sarans0x00h/

https://www.instagram.com/harsh_ban_/

Happy hunting and keep growing hackers :)

--

--

Saransh Saraf aka (MR23R0)

Writer of all kind, but mainly philosophy and cybersecurity mixed with physics concepts