Hi guys again here bringing an experience to share with you, as usual I will overshadow some information let’s go ..
Passing through the application, I came across a feature which, it was possible to download a document, the functionality trigger the following request:
As you can see, in the body of the request, precisely in the info parameter, there was a lot of numbers, I tried some SQLi payloads, XSS but without success, after I tried the payload foo/../304368[rest of numbers], and the application still returned me the file, I found it interesting.. so I tried to search for /etc/passwd, using the techniques of path traversal, after trying a bit and reading this article , and test some payloads using fuzzing techniques, i finally got one that worked ../../../etc/passwd%00, the %00 is a known bypass for several scenarios not only path traversal more info here. The following images illustrates the payload and response:
After getting all the users with payload quoted, I made a list with the absolute path of each user retrieved, and made another wordlist containing common linux files like .bashrc, .vimrc and others. By doing this it was possible to recover one user’s .bash_history file, as demonstrated below:
After reading the contents of the .bash_history(if you don’t know what is .bash_history here) file of the user in question, I could see that there was a file with a .zip extension, so I went to recover this file, using the same 00% payload technique as shown Next:
After getting this file, i unzip and got a lot of java files like bellow:
Finally, I used a tool to decompile JD-GUI the .jar files, retrieved them, and got some information. As shown below
So that’s it folks. This was simple I hope to have contributed a bit with you xD.
Sharing is Caring
best regards, fr0stNuLL