Remote Code Execution in private website

Remote Code Execution in private website – Bug Bounty POC

Hello Bug Bounty POC viwers ,this is Hisham Mir and today i will be sharing how last month i found Remote Code Execution in private website so lets start, when i created an account on the particular website, after logging in their was an document upload feature so i tried uploading some php files but the  server was checking it properly with some javascript running on the backend which was checking it. So later that night i was reading an article about how we can disable the javascript on the browser and i am pretty sure you all guys know about the  extension in mozila which allows us to disable the javascript so as i previously mentioned the checking of the files by  server was working with javascript so i just disabled the javascript and the file was uploaded on the server. Now i have to find the path  But burp helped me with it, it is an good friend of All  Besides this i usually pentest websites using  chrome so as soon i got the path i closed the mozila and again started further digging in it, So the path was something like

http://www.site.com/files/Y8i2kD89shzMXK9ZE

 

Remote Code Execution in private website

Remote Code Execution in private website

See, It was renamed by the server i was pretty sure it will work but as soon i entered the url in chrome, he displayed me  simple text of the php shell, And i was like WTF :/ So i left it were it was, totally disappointed. Later i was checking  some XSS on that web which definately i will test in mozila 😛 so i entered the path of the shell in mozila and BOOM! the php script got executed i had control over all the server, first i thought that maybe it is the browser doing some execution but for further i created an simple html file with this code.

<script>alert(1)</script>

 

To check whether it was executing right or not, so i got an xss popup by it and it was also working on chrome the XSS one  but chrome was not executing the php script. I reported it quickly after this digging and they patched it real quick. They  decided to triple the usual bounty for all the work. So Guys we should always use Mozila For Pentesting 😀 Lesson Learned

I hope you guys liked it, If you guys need any help in an issue you can email me directly at butt@bugbountypoc.com

You may also like...

1 Response

  1. Dead composed content material, regards for selective information. “He who establishes his argument by noise and command shows that his reason is weak.” by Michel de Montaigne.

Leave a Reply

Your email address will not be published. Required fields are marked *