Hello, this is ABIDA Fahd from JAVA~DRINK3RS TEAM and today I will show you how I was able to find a way to upload TXT, PNG, XML files in a server I had no privileges in!
The story starts when I get my target from a friend, like always I start from collecting information from the target, and the first thing I did is extracting subdomains…
I used a dnsdumpster tool, you can find it here: https://dnsdumpster.com/
So the result was like this :
A lot of domains and a lot of information that can make the mission easier, I start checking the links one by one…
suddenly I stopped In a domain called ‘Cloud.xyz.com’ with “index Of “as additional information It looked like a group of directories, so I checked the link and Bingo!
It was an interesting find, some directories with no authentification required! one of them was interesting for me, its the first one the ‘Bugzilla’ folder, in the first second, I had no idea about what this name means so I decided to dig more, by clicking on the folder I got this!
I had nooo idea what’s this about xD, but I was so excited to know, I searched on google about Bugzilla and I understood that Bugzilla is a web-based general-purpose bug tracking system and testing tool originally developed and used by the Mozilla project, and licensed under the Mozilla Public License. you can learn more about it here: https://www.bugzilla.org/
This Bugzilla had an authentification system so I needed to log in or in another way I needed a way to bypass the normal way of login!
I started searching on google till the moment I found the good bug to use!
If you add this “createaccount.cgi “ at the end of ur Bugzilla target, you will find a feature that can allow you to create another Account without the confirmation of the super admin!
I created a new email by using a Temp Mail service and I got the link of the confirmation, then I logged in.
This is how Bugzilla looks like from the inside, and as you can see now we have the possibility to File a Bug!
So here we can Upload a file!
And here I was able to upload JPG file I can also upload other Extensions but unfortunately no Php supported!
I wish I had the ability to get a reverse-shell to complete this write-up by doing some privilege escalation but you can't own everything quickly maybe after a while I will find a way to do it!