wtorek, 26 czerwca 2018

Exploiting CyberArk

Some time ago I found few bugs in CyberArk (version I think that because all of them are 'for logged-in users only' - maybe you will find it useful. ;) Few details below...

Let's start from the beginning:

1) open-redirect bug?

Maybe some 'feature'... but sending POST request to UserSets.aspx with the content presented below

will show you code 302 in Intruder's tab. I was wondering what will happen if I will setup Kali's Apache2 on port 9090 and send txtManagerSite param to that box (for /asd 'resource')...

Response from Burp:

...ok it wasn't Apache ;]

Cool. Next.

2) persistent XSS - account name - create token

I decided to create some 'Tokens' - results below:

If you're looking for a cool 'Account Name', this one should be good to start:

When I tried different 'payload', I saw something new in the background:

I think our token is created now:


Last hint:


3) persistent XSS - VfManager.asmx -SeceltAccounts->DisplayName

Sending POST again:


Don't worry. ;> Let's check some of the 'Groups' - below:



4) user's groups - ConfigurationPage

When you would like to check (those created) "user's groups" in your ConfigurationPage, you will find:

5) persistent XSS - "Dialog Title"

6) persistent XSS - Adding Group



...cookie in prompt(). Same results with prompt(1) (just for a 'better view' ;)):


Enough for now. ;]




Brak komentarzy:

Prześlij komentarz