بسم الله الرحمن الرحيم
A few moments ago I did Bug Hunting activities in one of the Private Programs on Bugcrowd. As usual, the hunting process begins with Recon and Enumeration. The hunting process is carried out on this target in Blackbox. No credentials are provided, and the app’s front page is just a login page.
I. GIT Folder Disclosure
During the Enumeration process, I found a .git directory that was exposed to the public.
Figure 1 - GIT Folder Disclosure
By using this tool, I was able to download the Application’s Source Code from the .git directory.
Figure 2 - GIT Dumper Result
II. Finding The Credentials
Even though I got the source code, I don’t get any credentials on it. Also, this application is not vulnerable to SQL Injection attacks so there’s no way to bypass the Login Page.
After checking a few folders, I found a database directory and an SQL file called structure.sql.
Figure 3 - Finding the SQL File
However, in those SQL file, there’s only one default user which md5 hashed password that can’t be cracked.
Fortunately, in the application, the Directory Listing is Enabled. When I open the database directory, it shows a few database files, not just one file like in the .git directory.
Figure 4 - Finding the SQL File in the Live Site
I quickly grab the latest file and check it’s content. There are a few users on it with multiple roles. Unfortunately, there are only 2 users with the admin role and the password can’t be cracked.
Then I move to the user with a non-admin role, and I was able to crack some non-admin users and finally, I can log in to the application.
III. Bypassing Restricted File Upload
The Application has a feature called Create Avatar. Through that feature, user can create a custom avatar by choosing several options on it.
Figure 5 - Create Avatar Feature
Figure 6 - Create Avatar Feature
After choosing the image option, the browser will send a request to server with 2 parameters, imgdata and filename. The imgdata parameter is containing Base64 Encoded image file that we generated from Create Avatar Feature, and the filename is the file name that will be stored in the server.
There are restrictions that have been implemented by the application to prevent users from uploading malicious files:
- The server only accepts files with
.png,.jpg, and.gifextensions - The server only accepts files with the image data type
If we try to upload a file with .php extension, the server will return an error message.
Figure 7 - Uploading Avatar File
However, after checking the Source Code that I obtained before, this filter can be easily bypassed by using double extension, for example: filename.png.php.
The second filter is checking the content of imgdata and must be containing data:image/png, data:image/jpg, or data:image/gif. This is not an issue since we are still able to execute the PHP file even though the Content Type was set to Image file.
For the initial test, I try to upload PHP Info function:
1
data%3Aimage%2Fpng%3Bbase64%2CPD9waHAgcGhwaW5mbygpOyA/Pg%3d%3d
The PD9waHAgcGhwaW5mbygpOyA/Pg is a Base64 Encoded for <?php phpinfo(); ?>
Figure 8 - PHP File Uploaded
And the file was successfully uploaded!
Figure 9 - Uploading PHPInfo
By using the same way, I was able to Upload PHP Shell and successfully execute an OS command.
Figure 10 - Upload and Executing Web Shell