بسم الله الرحمن الرحيم
A few moments ago I did Bug Hunting activities in one of the Private Programs at Bugcrowd. As usual, the hunting process begins with Recon and Enumeration. The hunting process is carried out on this target in Blackbox. No credentials are provided, and the app’s front page is just a login page.
I. GIT Folder Disclosure
During the Enumeration process, I found a
.git directory that was exposed to the public.
By using this tool, I was able to download the Application’s Source Code from the
II. Finding The Credentials
Even though I got the source code, I don’t get any credentials on it. Also, this application is not vulnerable to SQL Injection attacks so there’s no way to bypass the Login Page.
After checking a few folders, I found a
database directory and an SQL file called
However, in those SQL file, there’s only one default user which md5 hashed password that can’t be cracked.
Fortunately, in the application, the Directory Listing is Enabled. When I open the
database directory, it shows a few database files, not just one file like in the
I quickly grab the latest file and check it’s content. There are a few users on it with multiple roles. Unfortunately, there are only 2 users with the admin role and the password can’t be cracked.
Then I move to the user with a non-admin role, and I was able to crack some non-admin users and finally, I can log in to the application.
III. Bypassing Restricted File Upload
The Application has a feature called
Create Avatar. Through that feature, user can create a custom avatar by choosing several options on it.
After choosing the image option, the browser will send a request to server with 2 parameters,
imgdata parameter is containing Base64 Encoded image file that we generated from Create Avatar Feature, and the
filename is the file name that will be stored in the server.
There are restrictions that have been implemented by the application to prevent users from uploading malicious files:
- The server only accepts files with
- The server only accepts files with the image data type
If we try to upload a file with
.php extension, the server will returning an
However, after checking the Source Code that I obtained before, this filter can be easily bypassed by using double extension, for example:
The second filter is checking the content of
imgdata and must be containing
data:image/gif. This is not an issue since we still able to execute the PHP file even though the Content Type was set to Image file.
For the initial test, I try to upload PHP Info function:
PD9waHAgcGhwaW5mbygpOyA/Pg is a Base64 Encoded for
<?php phpinfo(); ?>
And the file was successfully uploaded!
By using the same way, I was able to Upload PHP Shell and successfully execute an OS command.