RCE via Account Takeover
In this blog, I am going to share a bug that I came across while performing VAPT for a private project.
This is a CMS website that I was doing VAPT for. so in CMS, the chance of finding bugs is lower as their version is updated and there are no known CVEs and exploits for that particular version. Initially, I understood the application flow, then tested for bugs like XSS, SSRF, LFI, etc None of them worked out, there are some custom templates used in the website, so I tried SSTI and CSTI for the template injection, but it was also in vain.
Then something caught my eye while navigating to the My Account section, The UserID was passing in the URL, and then I started to tamper with the UserID, and now it’s showing the user details of the tampered UserID. Similarly, the UserID passes in the URL for the Change Password, where it asks for the current password to change the password. I changed the UserID value in the URL to that of another user, and surprisingly, it worked, and was able to change the password without any validation.
Then I figured out the Admin’s user ID must be one, tried to change its password and it worked. Now I have control over the Admin’s account After that traversed the admin account and found an option to execute PHP code on the website which reminds me of the pentestmonkey php reverse shell.
Then I used ngrok for port forwarding to receive a connection. I altered the payload, started a Netcat listener on my local machine, and executed the payload in the PHP execute function. As soon as the payload was executed, a reverse shell was spawned in the terminal.
The reason I was able to take over the account is because of the custom OAuth implemented on the site, where they didn’t configure the authorization properly. The PHP execute extension should not be used on the website; in the event of a breach or successful attack, the attacker might use this functionality to take control of the system. The CMS vendor also advises the user not to use these kinds of extensions.
I hope you find this blog useful, will be back with another interesting blog.
