Particularly when I speak with newbie protection researchers/bug bounty hunters, they perpetually make me think as not thinking themselves able of finding remote code execution vulnerabilities because they are super-complicated. Because of this error, these people are really not trying to attain any of them or stop looking back sometimes. I think maybe the rationalization after it is that most of the parts/write-ups are indeed super difficult bugs beginning with the RCE from various different root causes with connecting one to another. While I am continuously impressed by these well-written write-ups & innovative ways of exploitation, I still maintain to look for the loose ones too when running. Due to this, I decided to share some of the real-world examples that I found on the synack targets for a while, which were especially low-suspended fruits and could be improved/exploited by anyone. Just a few various tricks may really exploit a vulnerability that seems not exploitable at first.
Unrestricted File Upload 1:
On a host practice, I was looking at attaining a login page under /support/ directory within fuzzing directories. With the guidance of the javascript files stored on that login page, I mentioned some of the after-login endpoints and within direct entering this endpoint, I discovered that any of the administrator pages are available without login. One was to add an upload file page, which was allowing asp file lengths too. Sounds very easy right? Well, after upload, I tried to identify the upload record of the files within both fuzzing and from javascript files but it was not feasible. After that, I tried to upload the file to the upper registers within trying directory traversal vulnerability on the file name and it worked. Used “Fuzzing-Path Traversal” dictionary for a comfortable & electronic attack to find the vulnerability. But please be warned that while it doesn’t handle any query on file collection, it could be a query on file creation/update/deletion functionalities since all moving payloads will generate a new file on the server.
Unrestricted File Upload 2:
On a web system I was testing, I obtained a web form that did not exist on the web application site map or UI at all with the help of Google Dorks such as hunting site:domain.com ext: asp. That web form also had a file upload share, which was according to upload asp sizes. At this time, the test was also for obtaining the record of the upload was too. Nothing I did, I couldn’t identify the upload record and also didn’t find any vulnerability to chain with such as index traversal as on the first example. After that, I went back to the webform which I was packing. It was an appeal form for something I do not get. I filled the large form and post it. After a few times, I got an email from the web application about my request. That email included all the data I filled out to the form, including a link to my uploaded document which was at the corresponding application in-scope. Clicking the link delivered my same web shell as on the first example, as well as with the almost 3k payout from the platform.
Known RCE Exploitation:
On host testing, I obtained a version of SugarCRM app running on an in-scope IP address. Within the school version of the software & hunting for vulnerabilities on Google for it, I quickly discovered that the version was exposed for a PHP Code Execution vulnerability. Well, while the deed was executed, the assembly was not designed. I decided to use other msf payloads from the structure but none of them went, probably a firewall was checking both incoming and accommodating requests for bind shells. After that, I started the achievement code and analyzed it. Utilize code was generating a randomly named file under /custom/ directory and after that structure, a reversed shell to the presented IP address from that generated PHP file. When I quickly reached the file generated on my exploitation efforts it returned an empty response, meaning that the file was actually generated & the exploit worked.
After that, on the below code, I noticed that a special payload header is sent to the server from this file for full exploitation which is base64 encoded, via this code:
To encode the payload as @system(whoami); for:
- system command from PHP for running OS command.
- whoami os command for rendering the result.
Demanding the file generated by Metasploit with the payload header as performed turned the output of the whoami command, along with the around 3k payout again. When I was attempting to delete my planned web shells for the clean-up process on this.
Application Level Command Injection:
This one is a little more complex than the other examples but still needed to reply to this post because the exploitation system is different. On a confirmed web application testing, there was a functionality existing for attaching custom expressions to the problems generated by users Since the size was .do, the underlying technology was Java and I believed that maybe on the input script stage, they are also making Java functionalities as well as custom-designed functions?
Iappended the Java one-liner new java.io.DataInputStream(java.lang.Runtime.getRuntime().
exec("whoami").getInputStream()).readLine()
under the custom created addMessage function for returning me to the output of the code and I saved the expression.
If you have any doubt about the above topic don’t hesitate to contact us. Airzero Sec will be your digital partner. Email id: [email protected]
Author - Johnson Augustine
Ethical Hacker and Data Security Researcher
Founder: Airo Global Software Inc
LinkedIn Profile: www.linkedin.com/in/johnsontaugustine/