Hello Fellas!
I am back again with another writeup after so long time. In this writeup, you will get to know how simple recon leads to a critical bugs.
I was testing on a private program. I started testing from basic. I got a few low-hanging fruits. I dig more, but after spending a few hours I can’t find anything interesting. Again, I did recon for target (maybe I missed something in the previous recon).
I used Shodan for recon. Shodan's query was “http.title:RedactedTarget” and I got two IPs. The first IP was the target’s origin IP. I started with fuzzing and I found directories like “/manage/admin/login.php” There was a registration page also available. I registered myself and it redirect me to the login page. And I got an automated email from target that they will inform me when the admin will verify. Oops!
After a while of playing with the endpoint, I tried to log In. But I couldn’t able to log in. Because of admin didn’t verify my profile. I again tried with Burp. I captured the request while login and changed the response URL from “/login.php?error=true” to “/login.php?success=true” and put 1 in response and forwarded it. And It’s redirected to gallery.php without admin verification.
But I was a low-privileged user. I can only upload photos. I also tried to bypass the filter on file upload functionality but in this case, won’t work anything. But the Product name was reflecting so I entered malicious HTML code and got XSS. This is not enough, right??? Then I inserted the Blind XSS payload and It was executed after 5–6 hours. I got the notification and I checked the XSSHunter dashboard and I got Super Admin access. And reported to the concerned company. Still waiting for the response.
Hope for the b̶e̶s̶t̶ Bounty 😅😅
That’s all Fellas, see you next time till then Eat, Sleep, Hack repeat… 😉