Filemanager, website developer’s big sin.

3 years ago 175
BOOK THIS SPACE FOR AD
ARTICLE AD

Muhammad Syahrul Haniawan

How are you guys ? I hope you are fine there and can surviv with this pandemic. This is my 2nd write up about my bug bounty journey….Lets go !

Before we go any further it helps us to know what a filemanager is ? Filemanager is a piece of software that provides an interface for working with file systems. File manager functions for file management, managing files / files, creating files, opening files, editing, viewing, renaming files, moving, copying, deleting, searching and changing file permissions.

Initially I wanted to find an online class at one of the biggest coding bootcamp websites in Indonesia. We can call it as redacted.com. Somehow this bug I found also accidentally the same as before -_-.

I am just doing recon with wappalyzer and dirbuster. I found something special with wappalyzer result. Redacted.com using Laravel as the back end frameworks. I have experience about this frameworks and i know one exploit that is posible with this frameworks. Yes…. phpunit RCE. But unlucky i checked the vendor they don’t use phpunit.

I continue my recon by fuzzing the directory with dirbuster. Hmm…can you see the suspicious directory ? Yes….filemanager xD. I tried to open in the web but returning to login page -_-. Wait… returning ? means the directory does exist ! I am login with my old account and tried to open the filemanager again and BOOOM !.

I immediately tried to upload backdoor .php directly but failed. Second attempts i tried to upload .jpg and change the file content and extensions file with burpsuite.

Burpsuite intercept

WOW My .php file has been uploaded successfully !. I open it quickly to get my bind shell. And i get the ssh keys and database configuration.

Read Entire Article