Arbitrary File Read in one of the largest CRMs

Without going into too much detail as this was a private bug bounty program, I will explain how I managed to read arbitrary files on one of the largest Customer Relationship Managers (CRM).

First thing to point out was that this was not a quick find and it took quite a few days of non-stop poking around before I had even noticed the vulnerable parameter. The parameter was hidden within a JSON encoded lump of data which must have been parsed on the back-end without any validation.

Example of the vulnerable request parameters

As with everything, I loaded up the request in Repeater and Intruder and went to town trying to identify any vulnerabilities here. Obviously, given the ‘page’ parameter I was hoping to get a file read bug. In intruder I loaded up some basic wordlists to go through but unfortunately it didn’t lead to any fruitful findings. So with one last attempt, I went through Repeater trying different combinations of payloads, encodings and escaping characters until I finally found a payload that worked. As I said before, this was a private program and I don’t want to disclose the exact payload that was used but it was very similar to this:

..\//..\//..\//{file}\;%00

Yes, I know that this isn’t an overly complex payload, nor should it have taken too long to identify it but what took the longest was finding and identifying the vulnerable parameter, not generating the payload itself.

I found this vulnerability in multiple locations throughout the platform and the program paid me out for each item.

  • Initial finding (Listed above): $REDACTED
  • Finding #2 (Could only read config files): $REDACTED
  • Finding #3: $REDACTED