Sharekhan is India’s leading online retail broking house. Launched on February 8, 2000 as an online trading portal, Sharekhan has today a pan-India presence with over 1,529 outlets serving 950,000 customers across 450 cities. It also has international presence through its branches in the UAE and Oman. Sharekhan offers services like portfolio management, trade execution in equities, futures & options, commodities, and distribution of mutual funds, insurance and structured products.
A critical SQL Injection vulnerability has been discovered in Sharekhan web portal. Any malicious black hat can create much more devastating attacks using this critical flaw which includes but not limited to – Uninterrupted database access; Database Dump & Possibility of shell uploading.
Proof Of Concept
No data has been dumped; we randomly tried the security of the sharekhan’s website and after spending few minutes we came up with this SQL Injection flaw. Database has been accessed just to take screenshots so that we can make company believe that the vulnerability actually exist.
A reminder e-mail was sent to company the very next day this flaw was discovered but even after couple of weeks we didn’t received any response from the company and the said vulnerability still remains open for outside attack. It seems sharekhan didn’t bother to fix this vulnerability that exists in their web and even reported to them. So at-last, we are disclosing this vulnerability publicly.