LFI to Command Execution: Deutche Telekom Bug Bounty
Few months ago I did a little subdomain bruteforce on telekom.de , to see if there are new subdomains which, if I’m luck enough, could have some high severity vulnerabilities, since Deutche telekom only accepts SQL injection and Remote Code Execution.
After running aquatone, dnsenum, recon-ng and sublist3r, I collected all of the subdomains and removed duplicates, created a simple bash script to iterate over them and run dirb on every subdomain, and went on with my usual stalking of /r/netsec to read new interesting things.
Few hours later, I checked to see how dirb was doing and something caught my eye. I saw one subdomain had info.php page available. I just love php, developers usually mess up something, and leave some doors for hackers to come in. Opening info.php gave me some info that will be useful when Code Execution part comes.
After opening page I was greeted with login page. It was time to fire up BurpSuite and do some spidering. Few seconds later nice URL showed in burp :
Oh, I just had to replace that logon.hlp with ../../../../../../../../etc/passwd :
Some more files:
So LFI is fun, but it is not in scope, time to execute some command. I choose error.log poisoning option. So remember that info.php ( phpinfo()) file in the site root. It showed the location of error.log file, and made my job a lot easier, all the locations from SecList LFI list, gave 0 hits on the error.log file location. And in info.php it was:
So while running dirb on host I found file soap.php, that showed some errors that ended inside error.log , and one of the data inside log was referer value.
Running simple test to see if referer value is executed:
And again Bingo:
And for POC let’s run phpinfo() :
And the full report:
Reported: April 10 2017
Fixed: Sometime in August
Daniel Maksimovic ( firstname.lastname@example.org )