.png)
5 months ago
25 BOOK THIS SPACE FOR AD
ARTICLE ADThe target application is a tool that provides secure access management for infrastructure, enabling users to manage and access servers, Kubernetes clusters, and databases seamlessly. It enhances security by offering features like single sign-on, role-based access controls, and audit logging, making it easier to manage and monitor access to critical infrastructure.
When access the integration script to integrate with AWS OIDC we can specify integration name and the role of the integration.
When i click the generate command. I found a download script url like https://h1-v0id1.domain.com/api/scripts/integrations/configure/awsoidc-idp.sh?integratation_name=test&role=exampleRole.
I found that we can’t use any symbol in web UI but by specifying it on the download script instead, we can inject and tamper the integration script. Moreover the integration name and role name is reflected in the integration script.
So we can inject bash script in download url and tamper the integration script to gain code execution.
We can inject ' and break the script. For example if we inject like this we can break the script and execute cat /etc/passwd
payload :https://h1-v0id1.domain.com/api/scripts/integrations/configure/awsoidc-idp.sh?integration_name=%78%78%78%27%0A%63%61%74%20%2f%65%74%63%2f%70%61%73%73%77%64%0A%78%3d%27&role=exampleRole
The decoded payload will looks like this
The script will looks like this
The report is marked as duplicate. Original report CVSS : Medium (5.8)
Bengali (Bangladesh) · 
English (United States) ·