6420ed62
20230317 - Remote Command Execution in a Bank Server.md
Remote Command Execution in a Bank Server π½
Discovery π
- There was a functionality that user could download a PDF file
- Observe the filename and folder parameters in the request
- It was straightforward, send passwd and /etc
It's WORKED π₯³
!!missing!!
Deep Dive π¬
- The app does not allow us to pass directory traversal payloads (β../β, β%2e%2e%2fβ)
- tried to get some default internal OS configuration files, but most of the files give an error.
- Looked at the passwd file again and saw an interesting 'grcdm' user.
!!missing!!
Further exploration π¦
- I tried with ~/.bash_history payload (/home/grcdm and .bash_history)
- I got the complete command history of user 'grcdm'
- After analyzing all the commands, I found the web hostβs root path.
!!missing!!
Analysis π§©
- I copied the names of all JSP pages using the Target Analyzer of the Burp Suite (Engagement Tools)
- Configured the intruder and set the attack point to the filename parameter.
- I found a Directory Listing. vulnerability in cr_master_invoice.jsp.
!!missing!!
Analysis π§©
- I passed ../../../../../../etc and saw that it listed all contents of etc directory.
- Crawled all folders with the help of internal directory listing.
- I saw an unlinked JSP file that was vulnerable to Unrestricted File Upload.
!!missing!!
Exploitation π£
- I quickly created an HTML file upload page and specified a vulnerable endpoint in the action attribute of the form tag.
- Opened the created HTML page in the browser and selected the JSP web shell to upload.
!!missing!!
Credit
Based on Bipin Jitiya's writeup.
Support
You can Follow me on twitter or
