Remote Code Execution in private website – Bug Bounty POC
See, It was renamed by the server i was pretty sure it will work but as soon i entered the url in chrome, he displayed me simple text of the php shell, And i was like WTF :/ So i left it were it was, totally disappointed. Later i was checking some XSS on that web which definately i will test in mozila 😛 so i entered the path of the shell in mozila and BOOM! the php script got executed i had control over all the server, first i thought that maybe it is the browser doing some execution but for further i created an simple html file with this code.
To check whether it was executing right or not, so i got an xss popup by it and it was also working on chrome the XSS one but chrome was not executing the php script. I reported it quickly after this digging and they patched it real quick. They decided to triple the usual bounty for all the work. So Guys we should always use Mozila For Pentesting 😀 Lesson Learned
I hope you guys liked it, If you guys need any help in an issue you can email me directly at firstname.lastname@example.org