ElMahdi - マハディ
Hunting on ASPX Application For P1's [Unauthenticated SOAP,RCE, Info Disclosure] 본문
Hunting on ASPX Application For P1's [Unauthenticated SOAP,RCE, Info Disclosure]elmahdi 2020. 5. 31. 18:52
Hi, I wanna share with you how i found a P1 Vulnerabilities in a private program.
At first i grabbed subdomains and titles via assetfinder and, then resolved them using httprobe and extracted the the title of the responsive ones with get-title.
I started looking at the titles and i saw that there is a title that had "LOGIN" in it, i opened that page in my browser and i found that the website is an ASPX Application, the page didn't have any link for me to register, so i tried directories discovery with ffuf in orded find pages and sensitive files but i didn't find anything interesting so i moved to the next strep wich is Google search engine, i just made a basic dork search :
I opened all the pages and i noticed that there's a page for registeration but i didn't have the informations needed to do register myself :( , I clicked on CTRL+U to see if there are any JS Files that are included in the page and i found these two Files
Unauthenticated SOAP To [ Delete Documents, Get Informations Of Users, Access To Messages Of User , And Information Of Any Configuration of System, Other Functions ] :
I opened the config.js file and i found a SOAP File.
I opened the SOAP file and i found many user and system functions, i thought these function will surely require credentials, i coppied one of the urls that had a parameter id wich i gave it a radom value : 328915 and made the request.
Surprise, the website returned all the user sensitive informations without any authentication !!
Remote Command Execution in Telerik UI via CVE 2017-9248 And Critical IDOR thats Leak all Users PII :
After i reported the SOAP bug, i opened the second JS File , i found that theres an URL For an ASPX page wich had an upload functionality( Ohh !!) I tried to upload malicious files such as [ aspx , asp , html ] but it didnt work, and even uploading a valid file ( PDF ) the website would not return the URL for the document or the id for it ( Oh shit ) but i noticed thats the website uses Telerik for uploading the files and managing them ( Amm ) I searched for Telerik Exploits in Google and i found a blog that showed how to Pwn Telerik.
i read it and understood and tried exploiting it, and It worked, I got access to Telerik Filemanager and uploaded a TXT file to confirm the vulnerability.
After reporting the RCE, I returned to the page and i clicked cheked the source code of the page, and i found that there is an aspx File inside the JS Code (Oh) that was for reading Documents !!
var url = '/DocumentManagement/' + 'ViewDocumentImage.aspx?id=' + docid;
I Copied the URL And gave the id parameter a random number 15, the website returned PDF document wich had sensitive informations about a user without any authentication !!
Tomnomnom Tools :
Special Thanks to Anass Sbai @Flashy911 for rewrite this post And thanks to 之𝛜𝓭 ン挨ぁ @zedsec009 ♥️♥️