Hello guys,

I am Anil Tom . Since it’s been a long time that I have written a blog, I thought of writing one today. Here, I am sharing some of my findings in one of the Google acquisition domains.

Where is my Train

“Where Is My Train” by Sigmoid Labs Pvt. Ltd., is a unique app for Trains, that displays live running status of trains and up-to-date schedules. The app can function offline without Internet or GPS. It is rated №1 travel app in India.

The Story

On December 10, 2018 Google acquired Sigmoid Labs Pvt Ltd, and Where Is My Train hence became a part of Google. According to the Google VRP rule, one can report vulnerabilities to Google after 6 months from acquisition date. I had always been fond of hunting in acquisition domains, so I did some recon on their website whereismytrain.in but could not find any vulnerabilities.

The Real Story begins here 😉

One day one of my friends travelling to Bangalore from Chennai wanted me to pick him from the station so he shared his train status through Where Is My Train application. When I saw his message, I was surprised because I could see some parameters in the URL, but when I tried to recon, I could not find any of those parameters. I copied the link and pasted in my personal email because that’s the usual thing I used to do for latter testing. Later I picked my friend and forgot about the site as usual.

A month later, another friend of mine, Thejus messaged me in WhatsApp telling that he got an open redirect in one of the Google acquisition domains and he asked my help to exploit it, because the google does not accept the open redirect until unless we provide the way to exploit the vulnerability. Even after testing for a while, I could not exploit it, but then I recalled about Where Is My Train Application. I opened my email and searched for whereismytrain.in I got the link and tried my basic recon steps.

The first thing I did was a Dirsearch, but I did not get any results from the Dirsearch. Then I opened Burp and added to the scope and did the Spider. After some time I got a strange directory, it’s called “ /mt ”, I opened the same in the browser. It was an internal panel with no authentication, and I was like ‘No it’s not original!’.

There were some options to change the train status, so I attempted to change the status of the train and checked it in the Android Application.

Yeah! it reflected in the android application. Then I created a report as internal panel access.

After reporting internal Panel access, I dug more and got many other end points. The Panel had a tab called single insert with “train_date” parameter which was reflecting as the value in the source code. So I tried XSS there with the payload “onmouseover=alert(document.domain)” and the alert box was here.

I then made a report and sent to Google, but the Google VRP Team rejected the report as Infeasible

Reply from Google VRP Team 😭 💔

Once the report was rejected, I started looking for a way to exploit the reflected XSS. I did some google research and found that we can do virtual defacement using the reflected XSS, but I was not satisfied with that and I spoke to my friend Nizam. He told me to make a Phishing page of google 😅 and we created one of Google Sign-in and which triggers when the victim clicks on the link.

Then I made a PoC video again and replied to the team, and finally they accepted the report.

And I didn’t my stop my recon there I dug more and found another endpoint called “/mt/submit_change_in_status” where we have “train_date” parameter. From further recon it was observed that the parameter is vulnerable for Error Based SQLi 🤩 I am not that great with manual SQLi so first gave it a try with SQLMap. It was a post request, so I captured the request and saved it and ran SQLMap and the result was

sqlmap ❤️

Then I spoke to Nizam about this and he helped me in doing the manual SQLi and here we go

manual SQLi ❤️

I quickly made another report and sent to Google and they accepted that too😋

Thanks for reading my write-up. Hope you enjoyed it. Happy HACKING Guys…!!