Deutsche Telekom Database Dump

DeutscheTelekom

Here is a simple and critical vulnerability I’ve found in Deutsche Telekom allowed me to dump the database due to Authorization bypass.

The web application main page is the login page: demandplan.telekom.de/identification.php

I opened the web page source and there were some php file names inside javascript such as

index.php, adminuser.php, ProjectExport.php and so on..

thakafee3

I tried to browse every file, all of them redirected to the login page, But that ProjectExport.php file took more seconds and then redirected to the login page.

https://demandplan.telekom.de/projectExport.php

More seconds with file name includes “export” referred that there is something happened, I opened the file again and I found what I expected,  Content-Disposition header response included an attached file -> “export.txt”

telekomdownload

This file generated a backup file of the database

By intercepting the response, the generated file content open in the response body, Check the Content-Length header.

That’s enough to get the data but I wanted to get the exact folder name, https://demandplan.telekom.de/$foldername/export.txt

Via a simple manual bruteforce I got it  => /export

Final file path was: https://demandplan.telekom.de/export/export.txt

That file included a backup of the database.

thakafee

Auth Bypass:

Admin login and privileges validation should happen before opening the web page content, Not after, In this web app, the page content opened then validation happened which resulted in redirection to the login page, Just stop the redirection and act like admin.

Telekom only rewards SQLI or RCE reports, But they rewarded this one with 1000 Euro as it’s a very critical one.

telekom1

Thanks Telekom

Also read...

Comments are closed.