After two weeks of constant learning and hacking, we finally have gotten some results! Rajesh Ranjan with a great P2 level vulnerability in Bugcrowd, and Sam (CoffeeJunkie) with his first valid vulnerability report in intigriti.
Here it is the P2 level vulnerabilty that have gotten triaged by Rajesh Ranjan
And the first valid vulnerability report from Sam (CoffeeJunkie)
Day 16 comes with more learning about the following vulnerabilities.
File Inclusion Vulnerabilities
From Rajesh Ranjan. A file inclusion vulnerability allows an attacker to access unauthorized or sensitive files available on the web server or to execute malicious files on the web server by making use of the ‘include’ functionality. This vulnerability is mainly due to a bad input validation mechanism, wherein the user’s input is passed to the file include commands without proper validation. This vulnerability can cause code execution attacks, or even read internal sensitive files present on the server. There are Basically two types of file inclusion vulnerability.
- Remote File Inclusion (RFI)
- Local File Inclusion (LFI)
Remote File Inclusion
Remote file inclusion occurs when web application includes a remote file or any script located on another server. For example, there is a website named example.com, including its index.php using a file parameter as follows
Now in this case, an attacker may be able to exploit this functionality, and can place an evil code named evil.php on his own server that contains a web shell, and might be able to exploit as:
Now as soon as this code executes, attack might be able to gain a reverse shell on his side, and has full access of the web server.
Local File Inclusion
Local file inclusion occurs when an attacker may be able to trick application to expose the file of the web server. A successful LFI attack may lead to XSS, code execution attacks. Basically LFI occurs when application uses path to a file as input. LFI is much similar to RFI, but in LFI an attacker may only include local file (not remote files as RFI).
Case 1: Suppose, there is an upload section on the server, and an attacker has successfully uploaded a web shell to the server, then can trick the web sever to include that web shell file named evil.php as follows
So by this way, he/she can get the code execution on the server.
Case 2: The another attack which we can perform using LIF is Directory traversal attack. Check this out here.
Cheatsheets and Payloads
Port Scanning For Recon
From Sam (CoffeeJunkie). Port scanning for network and web application pentesting can open a new eye full of possibilites. Two of the most known port scanners are masscan and the classic nmap. There is a big difference between nmap and masscan, usually nmap takes longer than masscan due to its programming language, and network scanning methods. Masscan is faster because has been programmed in C and it can scan the whole internet with enough hardware in 15 minutes.
One of the methods in order to obtain fast and decent results is first using masscan due to its speed.
masscan -iL resolved-ips.txt -p1-65535 -oL output.txt
Once the scan is done and you see interesting ports such as 4080,21, and such you can use nmap to get detailed information from one IP.
nmap -Pn -T4 -A 10.10.10.10 -p21,4080 -oN output.nmap
Some cases depending on the target, they might be running different kind of vulnerable software that might lead to further exploitation. It is strongly recommend to use nmap scripts. Here you can find more information related to the scripts.