Pwn them for Learn


Hello guys! This days i’m not much active because of college life 🙁 but this weekend i got enough time to write about one of my Finding on a
private site 🙂 from which i was able to get a Remote code execution on the server 🙂 

Site : B*******.com
Description : Bitcoin sell and buy site 
Bug : Remote Code Execution

Ok lets start! first of all the site login system was fully different they send you “Access Code”(An 7 digit code) on the registered email whenever u want to login and it was working on Cloudflare. 

Playing around uploader : 

After login there was a page to upload documents which includes ID proof upload which have unrestricted file upload but whenever i upload php and open it, it was getting downloaded, then i started messing around uploader and giving some unsuitable characters given me server error which leaked server full path, upload script path, and server type (nginx).




Lets Read some files : 

The thing i noticed is anyfile.js was script and node-modules and things like was there (Zero knowledge in node.js) two thing was confirmed  Ngnix – Node.js, but why php wasn’t executing cause HTML was executed which means stored XSS but i was looking for RCE, now one thing i was missing that nginx some times have problem with uploader so i did ../../a.php in filename which uploaded the  a.php in root directory of site, but it was still not executing :/ means php was not configured on nodejs, as i said anyfile.js and its path was there in debug message so i opened it and i was fully shocked :O it was node.js file with Mysql login(root user 😀 ), SMTP mail login(gmail, the same email which sends “Access code” which means we do account takeover from here) and publicly accessible 😉



Lets shell :

Doing some more work i was able to read many files which means i got Arbitary source code read, now as i said cloudflare, Real IP was not available to me, so i started getting its IP which landed me to Email headers which leaked me Server IP, ok but the mysql port 3306 was closed(may be its only up on 127.0.0.1 not on 0.0.0.0) (the same port was configured in anyfile.js) so i started finding another port on the same ip which given me 2 ports, ip:7788 and ip:8899, ip:8899 was clone of site, while ip:7788 have api documentations so by doing some work on ip:7788 one i got its full path which was /home/*user*/php/application/file.php 😀  damn php was configured here now i gone back to port 8899 which was clone of site and used ../../../user/php/a.php and checked it on ip:7788/a.php and bhoom php executed 😀 



./My reaction : Lets get into it xD but as Whitehat i can’t, it will violate program’s policy



./Root cause : 
Uploader miss configured in 2 ways -> allowed php and directory change (most probably cause of nginx) — — — Eq. 1 
Leak of full path of a server which had php installed. — — — Eq. 2

By Combining Eq1 and Eq2 ; Eq1 + Eq2 = RCE

./Game Over
./Bounty awarded
./Special Thanks to Waleed, Rahul Maini, Daniel;