Hello everybody i’m bug hunter from Yemen and i’m 17 … this’s my first writeup so please ignore any mistakes .
Our target : private program on bugCrowd [ sub.domain.com ]
okay so when i was looking for anything interesting at [sub.domain.com] there was only login page like this [sub.domain.com/login]
i tried to find the directories in this dir /login/ with [dirb-tool]
and i have found a lot of directories and the [Directory listing] was enabled so now i tried to find something interesting but nothing just html , images and .tbl files [ i don’t know exactly what’s this]
but i tried to understand but it was just like this :
<table cellspacing="0" cellpadding="0" style="width:428px; margin-top:10px;">
so yeah nothing interesting yet … I was feeling bored
but after some time maybe 2 hours i checked out [dirb] and i saw this ..
==> DIRECTORY: http://sub.domain.com/login/modules/
==> DIRECTORY: http://sub.domain.com/login/plugin/
==> DIRECTORY: http://sub.domain.com/login/sys/
==> DIRECTORY: http://sub.domain.com/login/templates/
==> DIRECTORY: http://sub.domain.com/login/update/
still seems not critical right?
but after checking the dir’s i’ve found this :
what’s the matter here?
i just saw this code :
u can understand that there is action in [nomoPopup.php] to dump the SqlDB !!
but i saw this dir :
here i’ve found [update.rar] file i downloaded it and it was [BackUp files]
and that’s amazing now we have the php files and i was able to read the config file but hmmmm i just tried to read the login page php source after some time i discoverd [SQL Auth bypass] in the login page …………………. and now i have found 2 critical bugs .