August 1St
2017 Evening,
I was having my evening tea as few hours left for a day off and
suddenly I was assigned a new task by my manager. He rush down to me and said
dear Raghav, you have to perform a quick security tests on particular website
ABC and its sub-domain. Try to wrap it up in an hour or two. Find any critical
or high bug and make the incident report so we can impress our client and buy
proper time to perform security assessments.
The moment I
received E-mail related to project, My first move was to search for sub-domains
so I use following techniques like Google/Bing search operators, reverse IP
lookups, dnsdumpster.com, Knock Sub-domain Scan and Acunetix Sub-domain Scanner.
Fig.1 Sub-domain Scanning
As I made
the list of sub-domains, I quickly opened Firefox web browser then installed
Wappalyzer Addon and stated looking for
technologies and there versions for various domain. After 10 minutes I was
finished with technology version mapping with targeted domains. After giving
some thoughts I selected two domains which was running Java & Oracle Commerce
now my move was to search for known vulnerability for these technologies as there
version was disclosed and it would be easiest play to exploit them in less
amount of time.
To achieve
this I have two options to first the hard way start search for vulnerabilities
in nvd.nist.gov, cve.mitre.org, www.cvedetails.com or www.exploit-db.com &
second create a profile for java and oracle vulnerabilities in Acunetix web
Scanner and crawl and scan the website.
So choose
option two and created a profile for oracle and java vulnerabilities.
Fig.2 Profile Creation
Now, I
crawled whole both website manually using Acunetix HTTP Sniffer and imported
both in my scan with new created scan profile. With In 5 Minutes I got two
critical alerts from both Scans.
First :
Oracle Report rwservlet vulnerabilities
Fig.3 rwservlet vulnerabilities
Second : Weblogic
Server Side Request Forgery
Fig.4 Weblogic SSRF
Now I have
to confirm whether the alerts are False positive or negative. After doing some
research on " Oracle Report rwservlet vulnerabilities" I came across
direct exploit in Exploit-DB as Oracle Reports CVE-2012-3153 and Rapid 7 -
Metasploit Oracle Forms and Reports Remote Code Execution.
Fig.5 OS Shell
Next for
Weblogic Server Side Request Forgery I set up a server and enabled access.logs.
with help of Acunetix HTTP Editor I replayed the vulnerable request with
payload as my server IP and started monitoring the requests.
Fig.6 Out Of Band Calls
Finally I
was had two positive critical vulnerabilities, with sufficient time to make a
incident report...;)