My First RCE (Stressed Employee gets me 2x bounty)

This was an easy find tbh, but since it was my first and a weird one i would like to share.

Image for post

I had found multiple bugs on the website before (like open redirect, hyperlink Injection, etc) but recently they updated the whole layout of the website and so i thought to look at it again.

Browsing the website i found the file upload functionality to update the profile which wasn’t there before, so i uploaded a svg image and i got XSS.

Image for post

I reported it them and i kid you not they replied.

Image for post

I was like WTF, this must be some kind of joke as i have sent previous reports and they seem to reply just fine. This was a little too much. Also you can see he sent me gif in the word duped which was this.

I was really angry at the way he replied, i mean the first line was enough to let me know, there was no need to brag about the money and you need to work harder. I didn’t really know how to respond to this, i thought maybe he’s had a tough day at his job and using this just for fun. I really wanted to get back at him but i let go and just waited for them to fix the issue.

A few days pass and its fixed. So i looked to bypass the upload functionality and after a few tries i uploaded the file like xss.svg.jpeg and it worked i got an XSS again. I was happy and thought now is the right time to get back at that guy. So i started writing my report and while i was writing i thought maybe i should try to get RCE by uploading a PHP file.

At first i simply uploaded a php file with code <?php phpinfo(); ?> and i got the PHP version page and all the details.

Image for post

This was enough to prove RCE and so i quickly reported and hoping it was not duped this time. Since it was a bypass i just sent it to the same guy to which he replied.

Image for post

I mean what the hell is wrong with this dude. So i contacted their support team and sent all the screenshots of the email showing the way he replied but they didn’t respond. So to prove the guy wrong i uploaded a php file with the code <?php echo "Shell";system($_GET['cmd']); ?> and i got a shell. Now i can just visit the image URL and add ?cmd=[command here] to run any command. Also it didn’t require any authentication that means once i uploaded the shell i can just visit the URL of the image and run any commands i want, no need to log in.

Image for post
Image for post
Image for post

So after i sent all the screenshots of the RCE i get this.

Image for post

I kinda knew this was gonna happen at some point and so i made a new report and sent it to the security team as it was a critical bug. After a month and a half of waiting they finally replied.

Image for post

I guess that makes for it then. This was one of the weirdest experience i have had in this field. After the incident they removed their bug bounty page from their website and is no longer present. Hope you learned something, if you liked then please share and 👏.

Thank You.

Bug-Bounty | Pentester

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store