Hello to readers,
This article is about the funniest remote code execution that i have ever found in a public program on bug crowd. Off course for privacy purposes, we will not disclose the name of the program, so lets call it abc.com
So as always, I was following the regular Recon steps.
Step No#1: Information Gathering
Firstly, I visited the Bugcrowd platform and checked for a program. For a change, I tried a public program this time.
I saw their scope is wide *.site.com (Which is the greatest relief for a bug hunter. Wide scope = more bugs :P )
Step No#2: Subdomain Mapping
Next i used the amass tool to look for sub domains for this host.
From the scan result, I found a number of unused sub domains which led me to narrow down my search to one in particular . Let’s say that was beta.alpha.xyz.internal.abc.com
Step No#3: Vulnerability Identification
After looking into that, I was shocked to see that the website which i found is hosting the Damn Vulnerable Web Application . That looked weird.
Why should a website host something like DVWA, that has a mother-load of vulnerabilities.
Step No#4: Penetration
I continued with the testing and I used the default login password “ admin “ “admin” and logged in to the website and uploaded a php shell and got a reverse shell . I found that it was still exploitable, but stopped it here and reported to the program.
It was a quick response that I got back from the program. I have never seen a bug getting fixed this fast. Within, one hour everything got addressed and fixed.
Well, it was one of the weirdest and funniest bug I have ever found. It was shocking to see a big reputed company making simple mistakes like this.
Thanks to Bugcrowd and team in helping to resolve the issue fast!!