Hi hunters , again I gonna share some of my findings which I found few month ago . This article have divided into 3 parts , each part describe about my finding . So , not taking your time anymore lets jump into our 1st finding . I added some bug bounty tips in the end of the blog . Please forgive me if I’ve made any mistake.
1st Bug : Not-arbitrary File upload :
From the title you can assume that it’s not fully arbitrary file upload but able to upload image files(only) to the main site from admin panel uploader, where I bypassed login to access the file uploader .
So , when I was testing private bounty site (lets take it as privateBB.com) , I run dirsearch over one of subdomain app.privateBB.com , and I got 302 response on /admin directory and it was redirect to privateBB.oldCMS.com/login , So I try to bypass by giving default credentials but not working . Again I ran dirsearch over privateBB.oldCMS.com and guess what !! I found CKfinder file uploader and able to access it without any type of authentication .
CKfinder file uploader
But it only accept image files , I try to temper every file extension with bypass extension like shell.php%00.jpg but it turns into —> shell.php%00_.jpg , Try every extension bypass but failed every time . BTW all image files are hosted on privateBB.com/__data/uploads/files/[HERE] . I finally gather and combine bugs and submit report about Authentication bypass to not-arbitrary file upload on main domain . They marked as P3😔 and awarded bounty .
2nd Bug: Information Disclosure (High)🔥🔥 :
It was one of my fastest finding . This is about PostgreSQL host , name , password disclosure . In January I was testing a web service which managed cloud service hosting for software infrastructure services . Lets assume it as BBcloud.com . There have 4 type of roles for members
- Admin (have full access)
- Operator (Access on few operations, can see service information)
- Developer(less access on operations than operator, can see service information)
- Read_only(only read access ,can’t see service information)
I set up 2 account , One as Admin , another as read_only . As you know read_only can’t see service information , but wait I leverage that and able to see service information . So , as Admin I start a PostgreSQL service and buy premium service plan where I have extra feature called Pool . what is Pool : Connection pooling allows managing large numbers of PostgreSQL client connections efficiently without sacrificing overall performance.
Now I add pool size any type(doesn’t matter) . Also there have option called info , where you can see about your PostgreSQL info and connection URI and PostgreSQL connection URI looks like :
Now I login as read_only user , as you know in this mode I can see only operation names and can’t see infos . But in Pool tab when I click on info button I was able to see PostgreSQL info and URI and in URI part I can see password, host & username .
read_only vs Admin
This is how I found critical severity bug under few minutes and got rewarded a good bounty.
3rd Bug: Non-accessible project invoice download :
This bug also found on same target as above . So , what actually this bug do is when you got removed from project you can still access and download the updated invoice of the project .
The invoice link looks like
As I mention in 2nd bug there have 4 roles , everyone can access the invoice tab on project except read_only user. Now I have developer role and I copied the newly created invoice link and after that I got removed my self from the project , so I don’t have access to the project anymore but I have the invoice link . Now fun part of the invoice is whenever project got updated the invoice link stays same ,only contents of the invoice got updated , after knowing this I was super happy . That means if attacker got the invoice link , he don’t have to look for any other information , invoice report contains few juicy information . I report that and got bounty and they fixed quickly .
Thats for all guys .
Here few tips :
- Always go for the premium product of the app . There will always some juicy bugs which you can exploit and get bounty .
- Check for sub domains whether it’s in scope or not and do directory fuzz over that sub domain , try to check if it make effect on primary or scoped domain . Then process further .
- Always check invoice or juicy links after removed from project or group , If you can access and download the invoice without access the project , report it and get the bounty .
Stay tune for more.
[It’s already been posted on March 4 ,2020 ,you can check on archive.org, for some reason my domain got expired and I lost all data , also I had no backup data then . I will try to re-upload my old blogs]