How I gained access to Sony’s database

This was a bug that I found back in 2017. This started when a friend of mine (a.k.a 1337) showed me a T-Shirt that he got from Sony . So I thought why can’t I get one so I started doing Recon on the target Sony had a wide range of domains and Sub-domains. I spend 2 days looking for a bug on Sony's main domain and I got nothing

So went for the next thing Acquisitions Same result. So I thought I should do something else so started Dorking

site:*.sony.*

And I landed in sony.co.kr and found a sub-domain bpeng.sony.co.kr due to the difficulty in understanding Korean Language I didn’t knew any of the options in the page.

Then something interesting happened https://bpeng.sony.co.kr/handler/BPEtc-PageView?pagename=some page blah blah

so I changed the value of pagename to something else and boom it redirected to that page so lets try etc/passwd and nothing happened..

But Why..?

Because the server is Microsoft IIS you dummy

So as per my experience I never had a chance to Exploit an IIS server so lets search for resources and found that the site uses jsp and has something called a WEB-INF that contains the configuration

and PayLoadAllThings gave me the perfect payload

jsp/etc/../../WEB-INF/web.xml

https://bpeng.sony.co.kr/handler/BPEtc-PageView?pagename=jsp/etc/../../WEB-INF/web.xml

and i got this as in response

DB Configuration Files

Reported It to Sony and Listed my name in their HOF and a they gave me a T-shirt.

Stay Creative and Happy HACKING