Wednesday, 11 May 2016

That Moment When You Find Authentication Bypass Vulnerability In Bug Bounty Program ?

One whole year has passed, since I joined bug bounty program on various platforms and all I could find was hand full of XSS, XFS,CSRF,CRLF Vulnerability with 2 to 3 logical bugs  and about millions of duplicates...

22nd Dec 2015 Evening I started looking for sub domains of a website that was newly introduced to bug bounty program. After fingerprinting all domains I found a unique domain in which was hosted on IIS Server & running ASP.Net technology at back end. Nmap Scan gave me the version of server & technology. Web Application was running on Windows Server 2003, Microsoft IIS 6.0 with Microsoft SQL Server 2005. That was too old for 2015 technologies, so I go OLD School on one of the parameter of page for search for SQL Injection.


I injected a Quote and in few seconds I received a SQL Error. Now I was sure the SQL Vulnerability was present in this sub-domain. As It was a sub-domain the severity of the bug was less so my main job was to find as many unique sql bugs in the web application. 

The second thought came to my mind was check for All SQL Injection so I gave the Web App the Automated SQL Scan.


After a full scan of web application all I found was 3 Unique Parameter with SQL Bug. But luckily 2 parameters were "Email" & "Password". After seeing them I got an idea for bypassing the Authentication via SQLi. So, know I was able to report two different types of bug.
1. Authentication Bypass via SQLi
2. Error Based SQL Injection.

Now comes the POC Part for both. Exploiting Error Based SQL Injection was easy, If you know how to perform the attack or alternative you can use modern day automated injection tools for creating POC. So I used SQLMap for creating POC for Error based SQL Injection.
   


Now, Creating POC for Authentication Bypass via SQLi...
1. I opened Admin Login Page.


2. Intercepting the Authentication Request Via Burp Suite.


3.  I started brute forcing with different SQLi payloads list goes like :
' or ' 1 ' = ' 1
admin' --
admin' #
admin'/*
' or 1=1--
' or 1=1#
' or 1=1/*
') or '1'='1--
') or ('1'='1--

& in the end payload : 'or' '='
wooooooooooo..... at last its worked for me.

So, Finally my both POC was created and successfully received some good amount Bug Bounty for my both Reports.

- Raghav

Tuesday, 3 May 2016

Old School Source Code Disclosure Vulnerability

On May 2nd I started a revaluation of web application for a client. While doing revaluation I found out that they have added some more functions in web app, I started exploring the new features of app every things look fine as they where all static HTML page then suddenly I came across a file "filedownload.php".

Now, my first step was to spider this branch that I did with help of burp suite & the full link was "http://site.com/filedownload.php?file=E:\netpub\vhosts\www\httpdocs/journal/welcome.pdf"

The Path Of Application was disclosed : E:\netpub\vhosts\www\

Then, I simply run the link "http://site.com/filedownload.php?file=" on my browser & I Received a error message from server that :
"ERROR: download file NOT SPECIFIED. USE forcedownload.php?file=filepath"

The moment I saw that error I remember it may be old school GHDB type file download vulnerability so, now I have to check for two type of Vulnerability :
1. LFI - Local File Inclusion
2. Source Code Disclosure

So after doing some Directory Traversal attacks I was sure that LFI was not applicable.

Then I started looking for Web.Config File as the server was working on Windows IIS.
"http://site.com/filedownload.php?file=web.config" the link works but no luck as the file was empty.


Then I, Looked for "index.php" file as many web developers sets there database connection password in "index" file "http://site.com/filedownload.php?file=index.php". Luckily I was able to download the index file but still the password was not present.


But, I get a hint a file name "UserUtils.php" was linked to the "index.php" file.
So, I started searching for "UserUtils.php" in all available paths I knew. After some hard work I located file inside "E:\netpub\vhosts\www\htdocs\UserUtils.php" Full Link :
"http://site.com/filedownload.php?file=E:\netpub\vhosts\www\htdocs\UserUtils.php"
 & file contains SMTP Server's Administrator Email ID , UserName , Password etc...

 
 But Sill I was not done, I have to find the Database Credentials so, After reading the whole file I found a New Path which have configuration file "admin/include/config.php" & "admin/include/functions.php"

Now, I tried to download Configuration file "http://site.com/filedownload.php?file=admin/include/config.php"


& Cheers I was able to see the Database Credentials as they were in plaintext.

Similar Type Of Attack Video Tutorial : https://www.youtube.com/watch?v=gjREfF5C4RQ

Thanks,


-Raghav Bisht

Getting started with AMF Flash Application Penetration Testing !

What is Action Message Format (AMF) ? TL;DR; AMF is a binary message serialization format geared for remote procedure calls, native to the...