Today I want to share with you a Privilege Escalation chain with Blind XSS which I found in private site. In this write-up, I will explain how I found Privilege Escalation and methodologies.
Before starting the vulnerability exploitation part let me give you some information regarding the target application. I was invited to a private program, were one of the target website let’s say “ example.com ” had a subdomain “xyz.example.com” has the functionality of selling books, newsletters online. before starting actual testing on this subdomain I perform some recon on this subdomain like directory search, Nmap, Wayback, etc. during directory search I found interesting directory i.e cAdmin.asp with 301 status code. I open this directory “https://xyz.example.com/cAdmin.asp” and I will be redirected to log in page “https://xyz.example.com/login.asp”.I think I need admin credential to get access to this directory
after some time I open this URL(https://xyz.example.com/cAdmin.asp) in my chrome browser with a normal user session and I got a forbidden message on my screen But after scrolling, I got four buttons on my screen admin.asp, addresses.asp,Cpanel.asp,store.asp.In this four-buttons only addresses.asp when I click on this button I successfully enter into an administrator menu
After getting this I can able to access only the address functionality of the administrator.so go into “view addresses”
I can able to update, remove any user's address. for testing purposes, I update the address of my other account with an XSS payload and when I log into my second account this XSS payload fired. reverse action also possible, from a normal user account add an address with XSS payload and go into the Administrator menu and XSS payload fired.
so we can able to steal the cookie of any user from the administrator menu with XSS and from a normal user account steal cookie of administrator with XSS.
Bugcrowd team for allowing disclosure of this issue.
Hritik sharma for his writeup about privilege escalation
23rd Sept: Initial discovery.
24th Sept: triage by bugcrowd team
16th Oct: $xxxx bounty rewarded.