ZOL Zimbabwe Authentication Bypass to XSS & SQLi Vulnerability – Bug Bounty POC

Hey Guys! Me Back with a New Post This One is about an Authentication Bypass Vulnerability in one of the subdomains of https://zol.co.zw/ ZOL Zimbabwe and Then got an XSS following with an SQLi in that Control Panel. So The Main Focus of this Blog Post will be on How i got access to the CP and then How i Got the XSS Following the SQLi 

So fast Forward I got a Subdomain of the site that was http://psizimll2.zol.co.zw/  and the Subdomain was Showing the Default IIS7 Page Like in the Picture Below

So At First I started testing this Subdomain for 2 Of the Most Common issues Found in IIS7 
1) Microsoft IIS Tilde Vulnerability (And the Site was Vulnerable to this issue)
2) HTTP.sys DOS & possible RCE 

but after testing these Common Issues on the subdomain i got nothing and decided to dig deeper. So i searched the subdomain on Google to see if there is any information about this particular subdomain (Most of the time a simple google search gives you some files or folders ) But negative i got nothing i did go through virustotal & Some other webs like web archive to get some information but nothing.

After this the next phase of my testing was to use DirBuster & DirScanner to test Further for any possible Files/Folders and after a while i got Some URLs Like

http://psizimll2.zol.co.zw/test.php
http://psizimll2.zol.co.zw/info.php
http://psizimll2.zol.co.zw/cp.php

The 2 Pages test.php and info.php were both leaking Some Information Through phpinfo(); Pages

So At this Point i had 2 Issues in that Subdomain….

Now When Ever I went to the URL http://psizimll2.zol.co.zw/cp.php i got redirected to the main page of the subdomain  that was http://psizimll2.zol.co.zw/ So as Many of you guys know about some redirect based techniques, Like This NoRedirect one i added the URL cp.php to the FireFox Extension called NoRedirect and Then When i went to the URL 
http://psizimll2.zol.co.zw/cp.php it did;t redirected me to 
http://psizimll2.zol.co.zw/ and i had Access to 
http://psizimll2.zol.co.zw/cp.php that looked like a Control Panel for some sort of webapp that have some users data in it.

Now I searched for Some Data and it was a User Information Database of some sort while searching In It I got another Page that was http://psizimll2.zol.co.zw/dnpc.php and this Page got data of users function where i can search user data from particular dates while searching a POST request was send to the file /dnpc.php with post data as 
Submit2=Go&end_dt1&start_dt=10 And I saw that the anything that we add to the perimeters end_dt or start_dt was reflecting back in the page under a <th></th> tag so i added a simple Image XSS Payload and it was reflected to me under the <th></th> tag and the XSS payload was executed 

And 

I would Like to Mention That due to some error the Search Input was Saved on this Page so It became a Stored XSS 🤣

Now It was getting Bored So i Decided to Write the Report to the team and suddenly decided to look for One last issue that can make the report look better 

So at the same Endpoints in the same POST request as Above i simply changed searched for 1′  Submit2=Go&end_dt1&start_dt=10 as I started looking for an SQL Injection Issue aND boom the Response for this request gave me an Error 

Could not get htccc data: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ”’ at line 1     

And 

So I did Exploit this issue to Get the Basic Info and Tables and then i was Convinced i should Stop Further Tests on this Subdomain and Report the issue Furthermore the ZOL team Patched these Issues by Deleting files and Blocking access to the Subdomain  👏 

Thanks for Reading this guys 🙂