Last night i deleted the server hosting this blog i took backup of files but forgot to take backup of database, I’ll soon copy paste reports from webarchive.
Hey guys! hope you all doing well :), In June/July i decided to hunt on Google Products, As Google have almost everything in scope so i gone though list of Google products/fully integrated acquisitions. ( https://www.google.com/intl/en/about/products/ ), Waze is one of Google’s Fully integrated acquisitions (There’s difference b/w integrated and non-integrated). So i decided to give it a try 🙂
I was looking at Waze iOS app and there was an option to login with Twitter, Show i started capturing requests, The URL was like this;
(not exactly this, feeling lazy to checkout again :P)
The flow works in same manner like `Authorization Code flow` as Twitter don’t have `Implicit flow` (as far as i know)
2 – 302 Response to https://api.twitter.com/oauth/authorize?oauth_token=xxxxx&redirect_uri=http://www.waze.com/SocialMediaServer/redirect?redirect=http://somdomain.waze.com%3Fsession_cookies=xxxx&server=this
3 – After authorize, Redirect to http://www.waze.com/SocialMediaServer/redirect?redirect=http%3A%2F%2Fsomdomain.waze.com%2Ftwitter%3F
4 – And then finally Redirect to http://somdomain.waze.com/twitter?session_cookies=xxxx&oauth_token==xxx&oauth_verifier=xxxxx
So everyone know what is suspicious here; http://www.waze.com/SocialMediaServer/redirect?redirect=http%3A%2F%2Fsomdomain.waze.com%2Ftwitter%3F
Luckily yes it was vulnerable to open redirect we won the battle already 😀 but wait we’re working with twitter `oauth_veriifier` which is not very usable from attacker perspective. Also twitter requires us to authorize app everytime :/
http://www.waze.com/SocialMediaServer/social/connect?id=twitter&session_cookies=xxx looking at ‘id’ , seems some more social connect possible, so i checked out android app as well and found facebook, linkedin are also there. Started testing on android, the flow for Facebook was completely different here. I started fuzzing around the old url, tried to replace Twitter to Facebook.
Response – 500 Error 🙁
But wait i seen many apps working in this pattern /social/*connection_name*/connect , Lets give it a try.
Response -302 :DDDDD,
Changed ?redirect=http://harshjaiswal.com and response_type=token,signed_request
Final PoC :
Although this was a fully integrated acq. i got less bounty 😛 as they still consider it as acquition FOR bounty purposes 🙁
But its okay! atleast i learned one thing, If they don’t give you endpoint, try to guess it 3:)
I hope you like it. 🙂
Hello guys! This days i’m not much active because of college life 🙁 but this weekend i got enough time to write about one of my Finding on a
private site 🙂 from which i was able to get a Remote code execution on the server 🙂
Site : B*******.com
Description : Bitcoin sell and buy site
Bug : Remote Code Execution
Ok lets start! first of all the site login system was fully different they send you “Access Code”(An 7 digit code) on the registered email whenever u want to login and it was working on Cloudflare.
Playing around uploader :
After login there was a page to upload documents which includes ID proof upload which have unrestricted file upload but whenever i upload php and open it, it was getting downloaded, then i started messing around uploader and giving some unsuitable characters given me server error which leakedserver full path, upload script path, and server type (nginx).
Lets Read some files :
The thing i noticed is anyfile.js was script and node-modules and things like was there (Zero knowledge in node.js) two thing was confirmed Ngnix – Node.js, but why php wasn’t executing cause HTML was executed which means stored XSS but i was looking for RCE, now one thing i was missing that nginx some times have problem with uploader so i did ../../a.php in filename which uploaded the a.php in root directory of site, but it was still not executing :/ means php was not configured on nodejs, as i said anyfile.js and its path was there in debug message so i opened it and i was fully shocked :O it was node.js file with Mysql login(root user 😀 ), SMTP mail login(gmail, the same email which sends “Access code” which means we do account takeover from here) and publicly accessible 😉
Lets shell :
Doing some more work i was able to read many files which means i got Arbitary source code read, now as i said cloudflare, Real IP was not available to me, so i started getting its IP which landed me to Email headers which leaked me Server IP, ok but the mysql port 3306 was closed(may be its only up on 127.0.0.1 not on 0.0.0.0) (the same port was configured in anyfile.js) so i started finding another port on the same ip which given me 2 ports, ip:7788 and ip:8899, ip:8899 was clone of site, while ip:7788 have api documentations so by doing some work on ip:7788 one i got its full path which was /home/*user*/php/application/file.php 😀 damn php was configured here now i gone back to port 8899 which was clone of site and used ../../../user/php/a.php and checked it on ip:7788/a.php and bhoom php executed 😀
./My reaction : Lets get into it xD but as Whitehat i can’t, it will violate program’s policy
./Root cause :
Uploader miss configured in 2 ways -> allowed php and directory change (most probably cause of nginx) — — — Eq. 1
Leak of full path of a server which had php installed. — — — Eq. 2
By Combining Eq1 and Eq2 ; Eq1 + Eq2 = RCE