Subdomain Fuzzing worth 35k bounty!
My Name is Abdullah Nawaf, Full Time Bug Bounty Hunter, Working actively in BugCrowd with Top 50 Rank, Rank 11 for P1 Bugs, Hunting For P1, and P2 Bugs
In this Writeup I will explain how I and Orwa Atyat Were able to get 35K Bounty using Subdomain Fuzzing and chaining multiple bugs together to Get Full rce
I’ve been hunting for 4 years and this is my first Writeup, Sorry if there was any mistake in it, I tried my best :)
Description:
The Story being in 2022 when I reported Auth Bypass Leads to SQLI&RCE for a private program in Bugcrowd, the Bug was fixed just one day after the report.
In 2024/3 me and orwa decided to re-testing our old bugs
The target that we were Re-Testing was admin.Target.com
we used Subdomain Fuzzing By Using this command
ffuf -w /subdomain_megalist.txt -u 'https://adminFUZZ.Target.com' -c -t 350 -mc all -fs 0You will find
subdomain_megalist.txtin reference part
Using this command we found a subdomain called admintest.Target.com
You can notice there is a lot of Errors in the PIC, But its ok since u fuzzing subdomain ,errors means the the subs not working
The admintest.Target.com was vulnerable since it has the same Back-end as the origin subdomain admin.Target.com
Let's talk about the bugs we have found one by one
Auth Bypass&BAC :
The https://admintest.Target.com was redirect to https://admintest.Target.com/admin/login.aspx
reading some js files, we found an endpoint called https://admintest.Target.com/admin/main.aspx Opening it directly in the browser will redirect us again to the login page but in Burp we noticed something,
the Content-Length was so large, so larger for redirect response
you can notice here that even though you redirect to the login page, the end is working, with full access,
by removing these 3 headers I was able to access the panel
Using Burp Match And Replace or using Burp intercept response by
change 302 Moved Temporarily to 200 OK
remove Location: /admin/Login.aspx?logout=y
remove html redirect code we were able to get FULL Auth Bypass, and it was fully functional, not just front-end bypass, after digging deep, we were able to find adduser.aspx this endpoint was redirecting us to the login page as main.aspx using the same trick in adduser.aspx we were able to access the endpoint and add an admin account, also we found another endpoint that shows admins password&username without any Auth
SQLI:
After adding admin account , we were able to login It would be easier for us than using the above trick
we found an endpoint called `SQLQuery.aspx` And from it name u know what it function :)
The first thing I tried this Query Select * from users
we were able to see all user's info including passwords,emails,username
RCE:
Since the database was `mssql` we tried to escalate it to RCE using xp_cmdshell
you read about xp_cmdshell
In a short way xp_cmdshell allow the user to execute commands in the system using mssql
By default it is disabled, but you can enable it so easily, using sqlmap option --os-shell
But in our case, we don't need sqlmap since we execute query directly to the database just like Select * from users also SELECT @@version
so the first thing we should do to make xp_cmdshell working is to enable it by using these queries
SP_CONFIGURE "show advanced options", 1
RECONFIGURE
SP_CONFIGURE "xp_cmdshell", 1
RECONFIGUREyou can see this, it would help
https://medium.com/@s12deff/microsoft-sql-server-to-rce-984016b4aaf8
and then xp_cmdshell ‘whoami’ BOOM RCE!
we sent all of them in one report + one other SQLI in another endpoint,and we got in total 35k bounty
Lessons learned&Summary:
1_Always check the redirect response in burp
I and Orwa found a lot and a lot of that same auth bypass, my first bounty was in 2020 and it was the same trick,
/admin/admin.phpRedirect tologin.phpBut when I see the response in burp , the admin.php just working fine and it is just Front-End Redreact !
2_ If u found a bug in a subdomain and it fixed try Subdomain Fuzzing
you can use it this way
admin-FUZZ.target.com E.G: admin-stg.target.com
FUZZ-admin.target.com E.G: cert-admin.target.com
adminFUZZ.target.com E.G: admintest.target.com
FUZZadmin.target.com E.G testadmin.target.com
admin.FUZZ.target.com E.G: admin.dev.target.com
The Command again
ffuf -w /subdomain_megalist.txt -u 'https://adminFUZZ.Target.com' -c -t 350 -mc all -fs 0
-t means threads , dont make it so high u could miss alot of working subs , aslo its dpends in your network speed
,sinc im using vps 350 find for me
-mc all means macth all respone codes like 200,302,403 and this importent 3_Try to escalate the bug before reporting
4_ Quality over Quantity:
when u find multiple bugs or chaining bugs together try to report them as one report , u will get higher bounty :)
Reference:
https://github.com/netsecurity-as/subfuz/blob/master/subdomain_megalist.txt
thx for Netsecurity for that list :)
you can find a lot of lists here also
https://github.com/danielmiessler/SecLists/tree/master/Discovery/DNS
All Of This Findings Was With OrwaGodfather As We Collaborate On All Hunt
I hope you guys have enjoyed the Reading
HX007&OrwaGodfather
