|
| 1 | +--- |
| 2 | +layout: post |
| 3 | +date: 2024-02-14 |
| 4 | +title: Web exploitation at IRMUN |
| 5 | +tags: ['vulnerability-writeups'] |
| 6 | +--- |
| 7 | + |
| 8 | +# Hacking IRMUN website |
| 9 | + |
| 10 | +Hi everyone! Iβm Kapil Sareen, *aka **v1p3r***, a wannabe hacker and a member of **@InfoSecIITR**. Today Iβm excited to share what I **HACKED**! |
| 11 | + |
| 12 | +Iβll walk you through the process of discovering the vulnerability and demonstrate how small mistakes during development can lead to significant consequences. |
| 13 | + |
| 14 | +First, letβs give a shoutout to our sweet little vulnerable target β `IRMUN`. The bug was actually in their payment gateway integration, which allowed us to bypass payments entirely and enjoy free accommodations and food, all courtesy of our generous host, `IRMUN`. |
| 15 | + |
| 16 | + |
| 17 | + |
| 18 | +Alright, letβs dive into the real action! |
| 19 | +Weβll start by making a sample registration to see how we can avail the free goodies. But before proceeding, letβs check the payment status: |
| 20 | + |
| 21 | + |
| 22 | + |
| 23 | +As we can see, our **payment status** shows as **incomplete**. |
| 24 | + |
| 25 | +Letβs attempt to **make a payment** while intercepting the requests using **Burp Suite** to monitor the traffic in real-time. We get redirected to the **payment page**, butβ¦ wait! Weβre broke. So, letβs **cancel the payment** and return to inspect the backend requests captured by **Burp Suite**. |
| 26 | + |
| 27 | +One request immediately stands out β itβs directed to the endpoint: |
| 28 | +**`/api/payment_failure`**. |
| 29 | + |
| 30 | +<div style="display: flex; gap: 10px; justify-content: center;"> |
| 31 | + <img src="../assets/irmun/failure_request.png" alt="Failure Request" style="max-width: 48%;"/> |
| 32 | + <img src="../assets/irmun/endpoint_discover.png" alt="Endpoint Discovery" style="max-width: 48%;"/> |
| 33 | + </div> |
| 34 | + |
| 35 | + |
| 36 | + |
| 37 | +Letβs send this request to **Repeater** and see what itβs up to. Hmmβ¦ something feels off. The request body contains some peculiar URLs: |
| 38 | + |
| 39 | +- **`surl=http://irmun.iitr.ac.in/api/payment_failure`** |
| 40 | +- **`furl=http://irmun.iitr.ac.in/api/payment_failure`** |
| 41 | + |
| 42 | +Could these represent **success URL** and **failure URL**? And why is the request being sent to `/api/payment_failure`? |
| 43 | + |
| 44 | +Letβs experiment by changing the endpoint to: |
| 45 | +**`/api/payment_success`** |
| 46 | + |
| 47 | + |
| 48 | + |
| 49 | +Interestingβ¦ we get a **302 redirect** to `/successful`. Looks like weβve stumbled upon something promising. |
| 50 | + |
| 51 | +Now, letβs **drop all pending requests**, refresh the page, and **recheck our payment status**. |
| 52 | + |
| 53 | + |
| 54 | + |
| 55 | +#### π― **Voila! The payment is marked as complete.** |
| 56 | + |
| 57 | +Now we can enjoy all the **free goodies** without spending a dime! |
| 58 | + |
| 59 | +--- |
| 60 | + |
| 61 | +**π PS:** This vulnerability has been **responsibly reported** to and **patched by IRMUN**, so donβt worry β this is all **legal stuff**. π |
0 commit comments