Less Time To Perform Penetration Tests ? Look For Known Bugs...!!
August 1St 2017 Evening,
I was having my evening tea as few hours left for a day off and suddenly I was assigned a new task by my manager. He rush down to me and said dear Raghav, you have to perform a quick security tests on particular website ABC and its sub-domain. Try to wrap it up in an hour or two. Find any critical or high bug and make the incident report so we can impress our client and buy proper time to perform security assessments.
The moment I received E-mail related to project, My first move was to search for sub-domains so I use following techniques like Google/Bing search operators, reverse IP lookups, dnsdumpster.com, Knock Sub-domain Scan and Acunetix Sub-domain Scanner.
Fig.1 Sub-domain Scanning
As I made the list of sub-domains, I quickly opened Firefox web browser then installed Wappalyzer Addon and stated looking for technologies and there versions for various domain. After 10 minutes I was finished with technology version mapping with targeted domains. After giving some thoughts I selected two domains which was running Java & Oracle Commerce now my move was to search for known vulnerability for these technologies as there version was disclosed and it would be easiest play to exploit them in less amount of time.
To achieve this I have two options to first the hard way start search for vulnerabilities in nvd.nist.gov, cve.mitre.org, www.cvedetails.com or www.exploit-db.com & second create a profile for java and oracle vulnerabilities in Acunetix web Scanner and crawl and scan the website.
So choose option two and created a profile for oracle and java vulnerabilities.
Fig.2 Profile Creation
Now, I crawled whole both website manually using Acunetix HTTP Sniffer and imported both in my scan with new created scan profile. With In 5 Minutes I got two critical alerts from both Scans.
First : Oracle Report rwservlet vulnerabilities
Fig.3 rwservlet vulnerabilities
Second : Weblogic Server Side Request Forgery
Fig.4 Weblogic SSRF
Now I have to confirm whether the alerts are False positive or negative. After doing some research on " Oracle Report rwservlet vulnerabilities" I came across direct exploit in Exploit-DB as Oracle Reports CVE-2012-3153 and Rapid 7 - Metasploit Oracle Forms and Reports Remote Code Execution.
Fig.5 OS Shell
Next for Weblogic Server Side Request Forgery I set up a server and enabled access.logs. with help of Acunetix HTTP Editor I replayed the vulnerable request with payload as my server IP and started monitoring the requests.
Fig.6 Out Of Band Calls
Finally I was had two positive critical vulnerabilities, with sufficient time to make a incident report...;)