XSS, RCE & HTML File Upload in same endpoint

Hello,
I’m Tarikul Islam, an acknowledging member of Sec Miner’s Bangladesh.

The basis of my knowledge comes from the bug bounty community & now it’s time to share a bit of my own experience.

A little while ago I targeted a private company. After some research, I found a sub-domain partners.site.com which is used for partners’ communication. I had the feeling that I can find XSS here. I tried for four days & got nothing but Information Discloser which was regenerating error because of the name character length set to 64 where I set my name more than 100+ characters which resulting to information disclosure.

sa1tama0
demo

206 An exception occurred while executing ‘INSERT INTO partners.user (id, site_id, name, email, avatar) VALUES (?, ?, ?, ?, ?)’ with params [283, 411571, “\”aaaaaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbccccccccccccdddddddddd…”, “sa1tama0@wearehackerone.com”, “https:\/\/secure.gravatar.com\/avatar\/e5fbf987aa8c9f4b1ee0f05ad.jpg?d=mm”]: SQLSTATE[22001]: String data, right truncated: 7 ERROR: value too long for type character varying(64)

There was a possibility of using this error to execute XSS (Self XSS). I also tried to find CSRF in the name field to upgrade Self XSS to Stored XSS. Failed

Two days later I got the hidden user panel at partners.site.com/admin where I can change my details. There was also an option to upload a logo. The first thing that came in my mind, to upload an SVG file. SVG was uploaded successfully. I got an XSS (Non-Privileged User to Anyone) by uploading the SVG file.

And $200 was rewarded for the XSS. After that, I made an SVG for Blind XSS & upgrade the severity.

RCE by PHP file upload.

After a week I was rechecking the site. I tried to upload the SVG file again also tried some bypass. But there was no luck. After a while, I upload an image without any extension. The image was successfully uploaded & it was showing the normal image in frontend. When I opened the full image it was showing raw code as content-type: text/html.

What the heck?

I tried to upload files with PHP extension. Failed

Then I tried JPG Shell Uploading (Ninja Method)

1. Select an image(bind with PHP code) click to upload.
2. Capture the request with the burp suite.
3. Change the file name to rce.php

BOOM!!!

$1000 was rewarded for RCE by PHP file upload.

After a month a friend of mine found HTML file upload to the same endpoint. He was rewarded $400 for it.