Pwn them for Learn





Hello guys! This days i'm not much active because of college life :( but this weekend i got enough time to write about one of my Finding on a
private site :-) from which i was able to get a Remote code execution on the server :) 

Site : B*******.com
Description : Bitcoin sell and buy site 
Bug : Remote Code Execution

Ok lets start! first of all the site login system was fully different they send you "Access Code"(An 7 digit code) on the registered email whenever u want to login and it was working on Cloudflare. 

Playing around uploader : 

After login there was a page to upload documents which includes ID proof upload which have unrestricted file upload but whenever i upload php and open it, it was getting downloaded, then i started messing around uploader and giving some unsuitable characters given me server error which leaked server full path, upload script path, and server type (nginx).





Lets Read some files : 

The thing i noticed is anyfile.js was script and node-modules and things like was there (Zero knowledge in node.js) two thing was confirmed  Ngnix - Node.js, but why php wasn't executing cause HTML was executed which means stored XSS but i was looking for RCE, now one thing i was missing that nginx some times have problem with uploader so i did ../../a.php in filename which uploaded the  a.php in root directory of site, but it was still not executing :/ means php was not configured on nodejs, as i said anyfile.js and its path was there in debug message so i opened it and i was fully shocked :O it was node.js file with Mysql login(root user :D ), SMTP mail login(gmail, the same email which sends "Access code" which means we do account takeover from here) and publicly accessible ;)




Lets shell :

Doing some more work i was able to read many files which means i got Arbitary source code read, now as i said cloudflare, Real IP was not available to me, so i started getting its IP which landed me to Email headers which leaked me Server IP, ok but the mysql port 3306 was closed(may be its only up on 127.0.0.1 not on 0.0.0.0) (the same port was configured in anyfile.js) so i started finding another port on the same ip which given me 2 ports, ip:7788 and ip:8899, ip:8899 was clone of site, while ip:7788 have api documentations so by doing some work on ip:7788 one i got its full path which was /home/*user*/php/application/file.php :D  damn php was configured here now i gone back to port 8899 which was clone of site and used ../../../user/php/a.php and checked it on ip:7788/a.php and bhoom php executed :D 




./My reaction : Lets get into it xD but as Whitehat i can't, it will violate program's policy




./Root cause : 
Uploader miss configured in 2 ways -> allowed php and directory change (most probably cause of nginx) --- --- --- Eq. 1 
Leak of full path of a server which had php installed. -- --- --- Eq. 2

By Combining Eq1 and Eq2 ; Eq1 + Eq2 = RCE

./Game Over
./Bounty awarded
./Special Thanks to Waleed, Rahul Maini, Daniel;

7 comments:

  1. YoBit lets you to claim FREE CRYPTO-COINS from over 100 unique crypto-currencies, you complete a captcha one time and claim as many as coins you want from the available offers.

    After you make about 20-30 claims, you complete the captcha and keep claiming.

    You can press claim as many times as 50 times per one captcha.

    The coins will stored in your account, and you can exchange them to Bitcoins or Dollars.

    ReplyDelete
  2. Hack and take money directly from any ATM Machine Vault with the use of ATM Programmed Card which runs in automatic mode. email (hydracards63@gmail.com) for how to get it and it cost,and how to also hack credit cards and send the money to your self,we are located around the world, these cards works on any ATM machine and it works according to it's activation.

    ………. EXPLANATION OF HOW THESE CARD WORKS……….

    You just slot in these card into any ATM Machine and it will automatically bring up a MENU of 1st VAULT #1,000, 2nd VAULT #5,000, RE-PROGRAMMED, EXIT, CANCEL. Just click on either of the VAULTS, and it will take you to another SUB-MENU of ALL, OTHERS, EXIT, CANCEL. Just click on others and type in the amount you wish to withdraw from the ATM and you have it cashed instantly… Done.

    ***NOTE: DON’T EVER MAKE THE MISTAKE OF CLICKING THE “ALL” OPTION. BECAUSE IT WILL TAKE OUT ALL THE AMOUNT OF THE SELECTED VAULT. To get the card email (hydracards63@gmail.com)

    ReplyDelete
  3. On Moon Bitcoin you can claim FREE satoshis. 514 satoshis per day.

    ReplyDelete
  4. If you are looking to buy bitcoins online, Paxful is the ultimate source for bitcoins as it allows buying bitcoins by 100's of payment methods, such as MoneyGram, Western Union, PayPal, Credit Cards and even converting your gift cards for bitcoins.

    ReplyDelete
  5. Are you tired of searching for bitcoin faucets?
    Triple your claiming speed with this advanced BITCOIN FAUCET ROTATOR.

    ReplyDelete

Powered by Blogger.