![]() ![]() #BURP SUITE TUTORIAL DEUTSCH SOFTWARE#Within the gathering version of the software & searching for vulnerabilities on Google for it, I easily detected that the version was vulnerable for a PHP Code Execution vulnerability, even within a Metasploit module! Easy one, right? On a host testing, I found a version of SugarCRM application running on an in-scope IP address. Target was alive for 2 days when I submitted that vulnerability, in-which the 24-hour rule was already passed and nobody reported yet. Clicking the link returned my same webshell as on the first example, as well as with the approximately 3k payout from platform. That e-mail was including all the information I filled out to the form, including a link to the my uploaded document which was at the same application in-scope. ![]() After a few minutes, I got an e-mail from the web application about my application. It was an application form for something I do not remember. After that, I went back to the web form which I was filling. No matter what I did, I couldn’t enumerated the upload directory and also didn’t found any vulnerability to chain with such as directory traversal as on the first example. In this time, the challenge was also for finding the directory of the upload was too. After that I tried to upload the file to the upper directories within trying directory traversal vulnerability on file name and it worked. Well, after upload, I tried to enumerate the upload directory of the files within both fuzzing and from javascript files but it was not possible. One was including upload file page, which was allowing asp file extensions too. Within the help of the javascript files loaded on that login page, I enumerated some of after-login endpoints and within directly accessing this endpoints, I found out that some of the administrator pages are accessible without login. On a host system I was looking, i found a login page under /support/ directory within fuzzing directories. Just a few different tricks may actually exploit a vulnerability which seems not-exploitable at first. Due to this, I decided to share some of the real world examples that I found on the Synack targets for a while, which were actually low-hanging-fruits and could be found/exploited by anyone. While I am always impressed by these well-written write-ups & new ways of exploitations, I still continue to look for the easy ones too when hunting. I think maybe the reason behind it is most of the examples/write-ups are really super complex bugs leading to the RCE from several different root causes with chaining one to another. Because of this misconception, these people are actually not trying to find any of them or stop looking after some time. Simple Remote Code Execution Vulnerability Examples for BeginnersĮspecially when I talk with newbie security researchers/bug bounty hunters, they always make me feel as not thinking theirselves capable of finding Remote Code Execution vulnerabilities because they are super-complex. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |