Hello everybody i’m bug hunter from Yemen and i’m 17 … this’s my first writeup so please ignore any mistakes .

Our target : private program on bugCrowd [ sub.domain.com ]

okay so when i was looking for anything interesting at [sub.domain.com] there was only login page like this [sub.domain.com/login]

i tried to find the directories in this dir /login/ with [dirb-tool]

and i have found a lot of directories and the [Directory listing] was enabled so now i tried to find something interesting but nothing just html , images and .tbl files [ i don’t know exactly what’s this]

but i tried to understand but it was just like this :

<table cellspacing="0" cellpadding="0" style="width:428px; margin-top:10px;">

so yeah nothing interesting yet … I was feeling bored

but after some time maybe 2 hours i checked out [dirb] and i saw this ..

==> DIRECTORY: http://sub.domain.com/login/modules/
==> DIRECTORY: http://sub.domain.com/login/plugin/
==> DIRECTORY: http://sub.domain.com/login/sys/
==> DIRECTORY: http://sub.domain.com/login/templates/
==> DIRECTORY: http://sub.domain.com/login/update/

still seems not critical right?

but after checking the dir’s i’ve found this :

http://sub.domain.com/login/modules/admin/templates/uk/
what’s the matter here?

http://sub.domain.com/login/modules/admin/templates/uk/admin.dbbackup.tpl

i just saw this code :

<a href="javascript:nomoPopup('nmcron.php?action=dbdump',650,400,'DbSqlDump');">
TEST:   DB-Sicherung (SQL-Dump)
</a><br /> 

u can understand that there is action in [nomoPopup.php] to dump the SqlDB !!

but i saw this dir :

http://sub.domain.com/login/update/

here i’ve found [update.rar] file i downloaded it and it was [BackUp files]

and that’s amazing now we have the php files and i was able to read the config file but hmmmm i just tried to read the login page php source after some time i discoverd [SQL Auth bypass] in the login page …………………. and now i have found 2 critical bugs .

PEACE OUT

Please follow and like us:

2 thoughts on “How i was able to dump SqlDB | Simple bug”

Leave a Reply

Your email address will not be published. Required fields are marked *