Declaration and Warning: This is done just for example and I declare i do not have any intention to Create DOS, or it is not indented to harm http://indianrail.gov.in. I am ready to remove the post as well as hosted file if this is going to harm indianrail.gov.in in any way. I am not responsible for anyone using this code for any reason. Use this code at your own risk.
Note: The website is fixed no longer this api works This is an update of the post here
About the API details can be found from the older post.
The changed details are given here.
The final code is maintained in github now. You can find the code here.
I know what you are thinking how silly is it not? Yes, It is not done in a way it is supposed to do and this is our government site.
Only one validation is done by the server is to check if the call originates from the parent page, but this can easily be manipulated by
Hope the site fixes this issue. If it is fixed, then the API will no longer work and I need to find another vulnerability to make it happen.
Note: The website is fixed no longer this api works This is an update of the post here
About the API details can be found from the older post.
The changed details are given here.
The final code is maintained in github now. You can find the code here.
What is changed:
1. Site now added Captcha hence captcha to be passed as parameter.
2. Code is provided with some comments.
How is is done is detailed below:
How Captcha is found
Captcha is an image that has some number (here in this case) that user are prompted to give the same to validate you are human or just a script doing it.
So if this is true, then how did we use our script to get PNR? Did we use any complex image processing?
No, Not at all.
The Captcha is not serving the purpose that it is intended to do. The value of the captcha is stored in the hidden INPUT field.
When you design a web site this is the last thing that you do. This is supposed to be handled at the server, but the site is vulnerable.
So I decided to crawl first the page and get PNR and make the next cURL post request. This was implemented and found that the site has another vulnerability.
You don't need to send back the one which is generated by the server, you can send any number, but the only catch is that the field that you enter and the hidden input that you are sending shall match. I.e the post variable given below
$post_data['lccp_cap_val'] = 12345; //dummy captchaAnd only validation done at the server is to compare these two post data.
$post_data['lccp_capinp_val'] = 12345; // same dummy data
I know what you are thinking how silly is it not? Yes, It is not done in a way it is supposed to do and this is our government site.
Only one validation is done by the server is to check if the call originates from the parent page, but this can easily be manipulated by
curl_setopt($curl_connection, CURLOPT_REFERER, $refer);Please treat this blog post as educational purpose and do not exploit this vulnerability.
Hope the site fixes this issue. If it is fixed, then the API will no longer work and I need to find another vulnerability to make it happen.
hi, is there any update on the code as of 2019?
ReplyDeleteThis is a truly good site post. Not too many people would actually, the way you just did. I am really impressed that there is so much information about this subject that have been uncovered and you’ve done your best, with so much class. If wanted to know more about green smoke reviews, than by all means come in and check our stuff. train pnr status
ReplyDeleteAmazing post about getting PNR status from php. I am here to share some useful resource too, which is about train fare. If you want to check train fare then you need to stay tuned to this page.
ReplyDelete