Juicy Infos hidden in js scripts leads to RCE

Simo Bal-ghaoui
Jan 19 · 4 min read

Sorry for the late, I wasn’t able to write this before. Academic exams were overwhelming as usual. Now, I got some time. Let’s start the (story)!

One day, while doing my research as usual, I come across a web application that I (want) to test. Just curious, you know when a website pop up and you as usual with your hacker mind spirit want to test, just a small check list will be enough (as it wasn’t your target at first place). But, even though you begin crossing the walls, and embedding all your abilities and skills, and tied yourself with a small amount of time. Of course, wearing the white hat while doing this is mandatory . ¯\_(ツ)_/¯

I located a resource, where users and admins were supposed to enter their credentials. It wasn’t on the main domain. First thing first, was to take a look onto the source code. As all of you knew, JS code is open and it’s a front-end as html source. By the way I like inspecting js code, as it’s the first sensitive code used within some technologies to interact with internal system, and it provides more interactivity to test besides the white-box inspection if available.

The function ChangePassword catched my attention :

Js code

So, this introduces me to a new relative path with a parameter inside. That was looking promising. Opening the new path with a parameter and a random name as value, shows the change password utility with that given name in parameter.

Till now, I have a forced browser to user’s password change utility and an IDOR. The page shows a disabled field where to put the new password. The bypass was easy as (hacking google in my childhood, with inspecting elements of course ;) ). After submitting that form, I got a message telling me that The Username wasn’t found !. Oops, two hypothesis comes to my mind about user’s verification.
1)What if there is no further check if I entered the correct username, then I will have a Critical Account takeover IDOR.
2)If not 1), how can I bypass it.

Sticking to the first assumption, and back to our js code, looking around. The parameter’s value was just like this : change?pass=user- . I assumed then that the application assigns an incremented value after the hyphen and thus for every user created. So, how would be great to put the number 1 after “user-” ? :) .
The result will be something like this :
change?pass=user-1 .
The first user is always if not, the administrator.

The trick was working, now I have a full Critical IDOR that leads to Account Takeover. And I have an administrator panel with full functionalities. I forgot to mention, this was a dedicated server, it’s belonging to a public college(responsibly not disclosing the name), their official website(System in general), and lot of sensitive information were going on there. It’s a full Content Management System with all college administrative’s stuff, employee attendance, salaries, payments, classes, teacher's section where to put assignment, students grades… . You can even change these grades… and more and more .

Some functionalities

It took me along with the administrator panel up to 15 min, exploring the web application and its design. And finally getting my RCE on a dedicated server with plenty of actions going on inside. (The opening picture).

— —
No malicious act, I contacted system administrator’s. No (index hh) was changed, either other files. At this time, server is safe and functional.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade