How I Got $4000 From Visma For RCE

Writeup By Ratnadip Gajbhiye.
I’m not telling any story about my life and I also know you don’t intrested to listen who am i..πŸ˜‹
I always believed that sharing is caring,
so i decided to share my findings with you as it might help others who started in the Bug Bounty journey.
As you already know We are seeing a lot of noise again regarding the Uploadify script vulnerabilities affecting some WordPress themes/plugins.
What is Uploadify :-
Uploadify allows anyone to upload anything they want to your site without any authentication.
First of all, I want to tell you that ... before entering a bug Bounty field, I was a black hat hacker and I hacked and defaced many websites ... so I have information about that How to upload shell in the website...
I always use black hat techniques for hunting bug like admin panel bypass etc... :V
I never Target a main domain, i always Target subdomain..πŸ˜…
So one of my friend Ma*** gave me this site for security testing..
And I target subdomain of that site..
Ex.
https://visma.com
https://citrix.visma.com
So now here is the main Part of this article
how I detect site for RCE and upload a shell less than 10 minutes.
I searched for admin panel
Ex:- https://citrix.visma.com/admin
And its redirect me to WordPress admin panel.. 😍
I have some idea about how to find a theme and plugins error using exploit-db ..πŸ€—
Because I hacked and Defaced many websites using this themes/plugins error..πŸ˜™
So I tried to exploit the theme error using Dorks, I put 4 Dorks in the URL but I did not get success, then I filed the 5th Dork in the URL and I got the upload section.
Without wasting any time I upload a c99.php shell in website and I got access of hole server 😎
Proof of Concept :-
Remote Code Execution via Arbitrary File Upload
# Exploit Title : Wordpress Themes Konzept File Upload Vulnerability
# Author : Ratnadip Gajbhiye
# Google Dork: wp-content/themes/konzept
# Tested on: Lubuntu
# [!] Exploit : Upload section URL
 https://citrix.visma.com//wp-content/themes/konzept/includes/uploadify/uploadify.php
# [!] File Location : C99 Shell URL
 https://citrix.visma.com//wp-content/themes/konzept/includes/uploadify/uploads/c99_locus7s.php






Day 1 :- After reporting this to site got their reply in 5 min. :p
Thank you for your report we have passed to your IT team for fixing it ASAP
and Vulnerability is fixed within 2 Hours.
Day 2 :- The hole has now been patched and the shell is removed, but it will probably require some more time to go through the server before declaring it properly secured again.😏
Day 3 :- discussing with their management department for cash reward. 🀨
Day 4 & 5 :- No reply 😐
Day 6 :- Thank you for your patience in this matter. I’m happy to tell you that we have awarded you a bounty of $4000 USD for this finding.. πŸ€‘
Hope You liked this finding and i apologize for my weak English if there is any mistakes in this post.
Thanks for reading my article, have a great day . πŸ™‚

Comments

Post a Comment

Popular posts from this blog

From Hunting for a Laptop to Hunting down Remote Code Execution

Image
Write-Up By Anil Tom It was another ordinary day that I came home from office and was chatting with my roommates, when one of my friends called up and told he wanted to buy a new laptop and needed some suggestions. So I went online and began hunting for laptops that met his requirements. I was reading about one of the Asus RoG models, when suddenly the Bug Hunter in me woke up and I asked myself why I shouldn’t Recon the Asus website. So I began my recon of the website, and spent a whole night looking for a bug on their main domain and did not find anything… The next day morning I went to my office, but my mind was still on the Asus bug hunt. That evening I got a notification on my mobile that there was an update for the Termux app. And suddenly my Bug Hunter senses tingled, and I thought, “Why don’t you run a sublister against asus.com on the mobile?” I randomly selected one of Asus’ sub-domains, specifically  http://stw.asu...
Read more

Vine User’s Private information disclosure

Image
Hello  readers, This is  Prial Islam  a security researcher from Bangladesh . This is a old finding of mine adding into my blog . Today I will write about a Critical   IDOR vulnerability that will lead to  Information Disclosure   what allowed me to get any Vine user’s sensitive information including   Ip address/phone no/email  . I reported this bug to Twitter Security team in their  Bug Bounty Program in Hackerone  and they Rewarded me with a amount of  7560$ for  this report  . $$$$ + Blog post permission 😾 πŸ˜‡ Vine has issued a statement regarding this vulnerability on their  Vine blog Post here  and also Hackerone mentioned this vulnerability in hackerone  Zerodaily Newslatter  . Vulnerable Endpoint  :- https://vine.co/api/users/profiles/<User Id> When I was testing vine domains for something interesting . I noticed the Endpoint what response wa...
Read more

User Account Takeover [Password Change]— Nice Catch!

Image
Writeup By Rohit Kumar Image Credits: Record Future Ever thought how you are implementing and passing data from the form to your queries? You are doing it dynamically? Summary : In this writeup, I will explain how I was able to change the user account password without providing the old password. This writeup will be short. I will not take much time. About Target:  Target was From a private program. So, let’s assume the target is site.com Reproduction steps: Login into your site.com account. Navigate to  https://www.site.com/users/[user_id]/edit Now, you will see a form which allows you to edit your account details and there is also another option to change your current password which requires your old password but this can be bypassed easily. Now, for bypassing this change password feature. Just edit your account details and then submit this request and meanwhile intercept it. Now you will notice some $_POST fields which will be like user[first_...
Read more