Image for post
Image for post

Hii Now i want to share about “How i got easy Clickjacking and escalated to Idor at Mola TV”

Before i start…
First I want to explain what is “Mola TV”

Mola TV is a channel as well as a multiplatform cable television , IPTV , and video on-demand — over-the-top channel in Indonesia and Timor Leste owned and operated by Polytron .

source: https://id.wikipedia.org/wiki/Mola_TV

Okay back to topic…

Explanation

At endpoint of user profile : https://mola.tv/accounts/_/v2/profile
was not set X-Frame-Options on the response. and it containt sensitive information such : email,phone number,uid etc..


Image for post
Image for post

Halo,
Kali ini saya akan membuat write up tentang “Bagaimana saya mendapatkan Time Based SQL Injection di jamtangan.com”

Dan pada kali ini saya ingin membuat write-up menggunakan Bahasa Indoesia karena memang lagi ingin *lol

Oke sebelumnya saya ingin menjelaskan terlebih dahulu bahwasannya jamtangan.com mempunyai Program Bugbounty detail lengkapnya bisa diakses disini : https://bantuan.jamtangan.com/hc/id/articles/360026084611-Pelaporan-Bug

Penjelasan

Apa itu Time Based SQL Injection ?
Teknik in merupakan teknik inferensia yang bergantung pada pengiriman query SQL ke database yang memaksa database untuk menunggu dalam rentang waktu tertentu (dalam detik) sebelum melakukan response.

sc : https://bssn.go.id/wp-content/uploads/2019/09/Proteksi-terhadap-Kerentanan-SQL-Injection-2019-v.1.3.1_sign.pdf

Step to Reproduce

  1. Kunjungi : https://www.jamtangan.com/myaccount/
  2. Klik ada bagian…


Image for post
Image for post

Hello guys,
This is my first Write Up and i want to share about “How i got easy $$$ for SQL Injection Bug”

Note : call the target as Redacted.com

Tools : Burpsuite

Proof of Concept :

1. Sign up for a new account

2. Follow the instruction, and then i got this page :

Rafi Andhika Galuh

Cyber Security Enthusiast

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store