Hello Penetration Testers,
I will write about my findings in 2 PBBP…
From Information Disclosure
to Remote Code Execution
to Same-Origin Policy Bypass
— — — —
Let’s call them a.com & b.com
While running Dirb,
i found crossdomain.xml file.
so i checked it at a.com/crossdomain.xml
i saw that a.com allow access from any subdomain at b.com
Then I ran sublist3r to find b.com subdomains ..
(./Sublist3r.py -d b.com)
After few minutes…
I got the list of b.com subdomains.
Then i ran Eyewitness to take screenshots for b.com subdomains list
(./Eyewitness.py — prepend-https — headless -f b-subdomains.txt)
And Braaah :”D
I noticed a subdomain Which have
Then I asked my best friend (Google) about this version..
After digging in Google Results:
I noticed that this version affected by this CVE-2016–8735 (RCE)
And i know that Jexboss can exploit this vulnerability ..
So I ran Jexboss to exploit this vulnerability
( ./jexboss.py -u http://developers.b.com)
And ran the exploit ..
After few moments… Done 😀
the payload uploaded successfully
and the reverse shell working perfectly 😀
I got RCE in developers.b.com
-Now I can upload malicious at this subdomain & full access on it. 😂
-And can also bypass the SOP at a.com 😎
1. Reported RCE to b.com PBBP.
2. Reported Same-Origin Policy Possible Bypass to a.com PBBP.
-The 2 issues fixed within 10 Days
-And I gained …. Thanks :3
-They don’t give bounties Bad Luck..
but no problem at all 🖐️😄
-The first step always is collecting information about the target.
-Check every single request.
-Check all the files on the server.