How I Hacked My College :-)

Vulnerability- No limit of incorrect attempts

Summary

It is possible to brute-force recovery code from email on SFIT-ERP as it doesn’t have an incorrect input limit. I have tried 80+ different combinations until I reached the 6 code user received on email.

Severity — Medium

Steps to Reproduce:-
1. Click “Reset password” option on the erp portal.

2. Enter “PID and email(Email can be found from the online payment portal just by entering the PID (www.sfit.ac.in/SfitPaymentLandPageById.php))".

The page where one can find the email required to send a reset request.

3. Start burpsuit and capture the request.
4. click “check for existence” it will land you on the page where OTP needs to be added.

5. Send the captured request and sent it to intruder.

6. From intruder launch brute-force for the 6 digit code.

if we observe carefully we the length value remains constant for all the pages since it redirects to incorrect OTP but if the OTP is correct then a different page shall load modifying the length value so at the instance length changes we hit a jackpot.

Now we have the correct OTP and we can reset the user password!

Proof of Concept

https://www.youtube.com/watch?v=z0OqZptW8tk

Mitigation
— Limit quantity of attempts to enter recovery code

Impact
— Account takeover

This is only given for educational purposes unauthorized usage may lead to legal actions!.