Republic Media Hacking POC & Republic Bharat Too | Web Server Hacking
Hello, My name is Chirag Artani and before I have shared here post about how I hacked Au optronics & also I got small reward from them. Today I am sharing about India’s top rated digital media network in Hindi & English, main database hacking POC (Proof Of Concept).
Update: After publishing this post they have restricted their server using MOD Security for database user and also now using WAF so now I can’t bypass it but yes vulnerability is still there that’s not fixed.
Well the first question in everyone mind comes: Why not you are submitting this report and vulnerability directly to Republic media? So the answer is — Yet I have sent them 8 emails, messages also did tweet, but they are not aware about it so what I can do is to make vulnerability public without sharing any data so might be then Republic Media will take action about this.
Republic Bharat & Republic TV Database Hacking
I am independent pen tester, I'm finding bugs and vulnerabilities and submitting reports to companies and for submitting vulnerabilities I am taking reward which could be money, prize, hall of fame etc.
Step 1. First I did research about Republic world web server IP’s
What I found that the every thing was based at two IPs which is:
52.172.197.48, 64.185.181.238
Now when a huge website are based at two IPs it means one IP is using for front end and other is using for back-end so yes backend includes database now that would be direct PHP, JS, Python files or Databases like: MySQL, MongoDB, PostgreSQL etc.
Step 2. I did research about subdomains of Republicworld.com
We can’t find vulnerability directly on the website example: republicworld.com, We have to look at Subdomains example: test.repulicworld.com, Directories or say paths example: republicworld.com/test. So I researched at all of Republic’s subdomains using Sublist3r, This is open-source tool for enumerating subdomains for any website.
So I found 44 subdomains as you can see in the screenshot. Now not all of them are working so for finding status about page in the bulk I used: https://httpstatus.io/ (awesome website).
What I saw out of 44. 12–15 are working so after that I did research on them only instead of wasting time on others.
Step 3. I found a subdomain with path along with parameter.
Now when I saw a subdomain with parameter suddenly I felt yes I can do more research. I can’t mention that exact subdomain and path with parameter because still there is vulnerability. So which vulnerability is there? I found SQL Injection which is the most critical vulnerability for any website, server because it includes database.
Here is the example what does it mean:
Here “http/https” is protocol, “test” is subdomain, “example” is domain name, “.com” is domain extension, “data” is path and last “no=1” is parameter. Many people know about it but what about those, Who don’t have any idea. So this basic knowledge could be useful for future.
Step 4. SQL injection attack and information gathering at Republicworld.com
Let me write something about SQL Injection this vulnerability are considered as critical and big companies are paying $10000-$15000 for finding SQL injection vulnerability companies such as Microsoft, Intel etc. Because this vulnerability can enumerate data of website users also if the database user have all privilege so it can change script/code and data too, In republicworld.com database user don’t have code/script changing authority but yes it has SQL database changing privilege. By the way now let’s continue:
The subdomain, path and parameter which I found. It includes overall database of website. There are two networks first is Hindi network called Republic Bharat and second one is Republic TV which is English Channel both of editor is my favorite journalist called Arnab Goswami. So in this database both are available their subscribers, admins, users, shows, number, name, emails and everything. Will demonstrate with sharing that below:
Type: boolean-based blind
Title: AND boolean-based blind — WHERE or HAVING clause
Payload: ******** AND 7477=7477Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: ***** AND (SELECT 4732 FROM (SELECT(SLEEP(5)))HLvv)
Main payload which actually worked here: Type — Union Query
UNION ALL SELECT CONCAT(0x717a6a7671,0x6c7a50765747694e644e574745554f6a435154597164576b7251636e4941624466776b57634f4c46,0x717a716b71)# — -
I found three databases:
available databases [3]:
[*] information_schema
[*] *************
[*] *******
I am very sorry for not sharing exact path, subdomain and parameter otherwise other pen tester will steal and leak their data. I don’t to become part of it. My aim is very simple I will provide details directly to republic media about exact vulnerability also how to fix it and will take reward.
Step 5. Table, Columns & Data Of Republic Bharat & Republic World
Here is the main thing instead of writing much I’m sharing everything.
I have found around 64 tables, Here are some:
| gro*** |
| admin_***_** |
| cate***es |
| admins |
| bharat_*** |
| bharat_**** |
| bharat_***_****l |
| card_*** |
| comm****_******tions |
| ****urations |
I am not sharing name of all exact table otherwise that’s kind of data leak. Here you can see a word Bharat which includes database of Republic Bharat.
Now let’s come at any table’s columns and data:
Here you can see columns now these columns include real data which is expensive thing for any website/network.
Ok so now showing you emails with hiding main structure:
These are the main people who can operate the whole server, I have everything as I said their passwords too.
Note: I am not sharing anyone’s full data. I am sharing here everything with hiding full identity etc.
So if anyone from Republic media or Republic Bharat reading this post kindly contact me. Last time I submitted them a XSS they fixed that without even thanking me, It hurts me a lot. But this time everything is different and its huge data, As I see there are over 200K subscribers (Emails) and many things, so I believe you will give me reward.
If you want to donate then please send me via PayPal: sachinartani@yahoo.in
Thank You!
Regards
