Remote Code Execution in private website
[ads]
Remote Code Execution in private website – Bug Bounty POC
Hello Bug Bounty POC viwers ,this is Hisham Mir and today i will be sharing how last month i found Remote Code Execution in private website so lets start, when i created an account on the particular website, after logging in their was an document upload feature so i tried uploading some php files but the server was checking it properly with some javascript running on the backend which was checking it. So later that night i was reading an article about how we can disable the javascript on the browser and i am pretty sure you all guys know about the extension in mozila which allows us to disable the javascript so as i previously mentioned the checking of the files by server was working with javascript so i just disabled the javascript and the file was uploaded on the server. Now i have to find the path But burp helped me with it, it is an good friend of All Besides this i usually pentest websites using chrome so as soon i got the path i closed the mozila and again started further digging in it, So the path was something like
http://www.site.com/files/Y8i2kD89shzMXK9ZE
See, It was renamed by the server i was pretty sure it will work but as soon i entered the url in chrome, he displayed me simple text of the php shell, And i was like WTF :/ So i left it were it was, totally disappointed. Later i was checking some XSS on that web which definately i will test in mozila 😛 so i entered the path of the shell in mozila and BOOM! the php script got executed i had control over all the server, first i thought that maybe it is the browser doing some execution but for further i created an simple html file with this code.
<script>alert(1)</script>
To check whether it was executing right or not, so i got an xss popup by it and it was also working on chrome the XSS one but chrome was not executing the php script. I reported it quickly after this digging and they patched it real quick. They decided to triple the usual bounty for all the work. So Guys we should always use Mozila For Pentesting 😀 Lesson Learned
I hope you guys liked it, If you guys need any help in an issue you can email me directly at butt@bugbountypoc.com
Dead composed content material, regards for selective information. “He who establishes his argument by noise and command shows that his reason is weak.” by Michel de Montaigne.