Blind Sql injection Redbus.in [Responsible Disclosure]

July 4, 2013

Redbus is Largest Online Bus Ticket Agent in India. Redbus suffered with highly critical vulnerability Bsql Injection.

Vulnerable URL :  http://www.redbus.in/Feedback/Thankyou.aspx?injectionVar=InjectionPayload

User-Agent:  Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)

Host IP: 175.41.131.205

Web Server: Microsoft-IIS/7.0

Powered-by: ASP.NET

Using this exploit i was able to access DB information like tables and columns.  Sorry Reader this time i can not post complete details of POC or Vulnerability

Redbus message

Thank you redbus for fixing this bug . I use redbus for ticketing, so I feel redbus must be more secured 😉

Special thanks to Garage4hackers Team

– [S]

We Provide Penetration Testing


We Provide Penetration Testing