Hello Penetration Testers,

Today,
I will write about my findings in 2 PBBP…
From Information Disclosure
to Remote Code Execution
to Same-Origin Policy Bypass
— — — —
Let’s call them a.com & b.com
a.com:
While running Dirb,
i found crossdomain.xml file.
so i checked it at a.com/crossdomain.xml
i saw that a.com allow access from any subdomain at b.com
<allow-access-from domain=”*.b.com”/>

b.com:
Then I ran sublist3r to find b.com subdomains ..
(./Sublist3r.py -d b.com)
After few minutes…
I got the list of b.com subdomains.

Then i ran Eyewitness to take screenshots for b.com subdomains list
(./Eyewitness.py — prepend-https — headless -f b-subdomains.txt)

And Braaah :”D
I noticed a subdomain Which have
(Apache Tomcat/6.0.35)
Then I asked my best friend (Google) about this version..

After digging in Google Results:
I noticed that this version affected by this CVE-2016–8735 (RCE)
And i know that Jexboss can exploit this vulnerability ..

So I ran Jexboss to exploit this vulnerability
(./jexboss.py -h)
( ./jexboss.py -u http://developers.b.com)

And ran the exploit ..
After few moments… Done 😀
the payload uploaded successfully
and the reverse shell working perfectly 😀

I got RCE in developers.b.com
-Now I can upload malicious at this subdomain & full access on it. 😂
-And can also bypass the SOP at a.com 😎

The Results:
1. Reported RCE to b.com PBBP.
2. Reported Same-Origin Policy Possible Bypass to a.com PBBP.

-The 2 issues fixed within 10 Days
-And I gained …. Thanks :3
-They don’t give bounties Bad Luck..
but no problem at all 🖐️😄

Learned Lessons:
-The first step always is collecting information about the target.
-Check every single request.
-Check all the files on the server.

Best,
Youssef

Leave a Reply

Your email address will not be published. Required fields are marked *