I Hacked and Secured 100+ Kerala Government Websites

Hi everyone,

I’m Sarathlal Srl (a.k.a SRLSEC) from India. During the journey of Bug hunting, I have received lots of official acknowledgment from the National Critical Information Infrastructure Protection Centre (NCIIPC) for my discovery of critical security vulnerabilities on Kerala government websites. I’m extremely grateful for keeping our nation’s web applications secure, and reliable and I strive hard to maintain the systems’ integrity.

NCIIPC (National Critical Information Infrastructure Protection Center)

Responsible Vulnerability Disclosure Program is a great initiative by the NCIIPC to acknowledge security researchers for reporting critical bugs on government websites (*.gov.in).

Link: https://nciipc.gov.in/RVDP.html

I reported all bugs and was awarded the Hall of Fame at the National Critical Information Infrastructure Protection Centre (NCIIPC) two times.

https://www.nciipc.gov.in/documents/NCIIPC_Newsletter_Jan22.pdf

https://www.nciipc.gov.in/documents/NCIIPC_Newsletter_Apr22.pdf

Hunting Part

SQL Injection Vulnerability

SQL injection occurs when coding errors allow an attacker to modify the structure of SQL executed by a database server, changing the statement’s logic to potentially malicious ends rather than those intended by the application. The most common cause is the use of unfiltered user input from a Web form in SQL statements constructed by string concatenation. SQL injection vulnerabilities are one of the most serious classes of application security flaw. Even a single piece of vulnerable code can let an attacker access important data or control an application/server.

Mass Hunting of SQL Injection Vulnerability

I used the common methodology to find SQL injection vulnerability. In recon and testing, I used my Python and Bash scripts for automating tasks.

1. Subdomain enumeration

Scope: *.kerala.gov.in

• Gathering subdomains and extracting to resolved domains

The tool will search for automated subdomain enumeration, utilizing several tools including amass, subfinder, sublist3r, and assetfinder.

2. Web probing

The tool to find working http and https servers and save them to an all-apps.txt file.

3. Technology stack scanning

Tech-stack-scanner is a web technology information profiler tool used to find out the following information.

• IP Address, Cloud, WAF, CDN, Web server, OS, Framework, Backend language, CMS, Database, Frontend frameworks.

Output saved to tech-result.csv file.

output — tech-result.csv

• Filter out PHP apps

php apps

4. Collecting endpoints

• I run the following tools to collect urls through actively and passively.

passive method

active method

• Combine tools output to one file all-urls.txt
• Remove duplicated urls and filter out parameterized URLs

cat all-urls.txt | sort -u | grep "=" | urldedupe > param-urls.txt

5. Scanning SQL Injection vulnerability

Then I used SQLi-detector to find the SQL injection and kept it running on VPS.

I reported 103 SQL injections to the NCIIPC and they approved it and they’re working to solve the issues.

Thanks for reading my writeup : )

Twitter : https://twitter.com/srlsec_

Instagram: https://www.instagram.com/sarathlal_srl

Youtube: www.youtube.com/@srlsec