Arbitrary File Read in one of the largest CRMs

Richard Clifford
Sep 26, 2018 · 2 min read

Without going into too much detail as this was a private bug bounty program, I will explain how I managed to read arbitrary files on one of the largest Customer Relationship Managers (CRM).

First thing to point out was that this was not a quick find and it took quite a few days of non-stop poking around before I had even noticed the vulnerable parameter. The parameter was hidden within a JSON encoded lump of data which must have been parsed on the back-end without any validation.

Image for post
Image for post
Example of the vulnerable request parameters

As with everything, I loaded up the request in Repeater and Intruder and went to town trying to identify any vulnerabilities here. Obviously, given the ‘page’ parameter I was hoping to get a file read bug. In intruder I loaded up some basic wordlists to go through but unfortunately it didn’t lead to any fruitful findings. So with one last attempt, I went through Repeater trying different combinations of payloads, encodings and escaping characters until I finally found a payload that worked. As I said before, this was a private program and I don’t want to disclose the exact payload that was used but it was very similar to this:

..\//..\//..\//{file}\;%00

Yes, I know that this isn’t an overly complex payload, nor should it have taken too long to identify it but what took the longest was finding and identifying the vulnerable parameter, not generating the payload itself.

I found this vulnerability in multiple locations throughout the platform and the program paid me out for each item.

  • Initial finding (Listed above): $REDACTED
  • Finding #2 (Could only read config files): $REDACTED
  • Finding #3: $REDACTED

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store