From Hobby to Hacking

Hello,my name is Muhammad Syahrul Haniawan. I am from Indonesia and this is my first write up on Medium.com. I’ll tell you a little about the experience I had and my first bug bounty.

Have you ever thought that having a paid hobby is very fun? xD. I have interest about Japanese Culture especially Anime and Manga. At that time I was just reading news about some Japanese culture on one of the biggest Japanese news websites in Indonesia,because this is a private bug bounty program, we call the website as redacted.com.

Ok lets go….

That day I was very surprised to hear the news that my idol actress Yui Aragaki announced her marriage to a Japanese actor. I immediately looked for articles about it and found a website that I used to frequent to read news about Japan.

At first I had no intention of trying to test the security of the website,but i found something that caught my attention, yes … the plugins that is used uses an older version of jquery 3.4.1, which was released in 2019.

I did fuzzing the directory on the main domain and didn’t get a good entry point. after that I found subdomain.redacted.com. I just doing recon directory with view-page source on the main page xD. Found something suspicious directory called jquery-fileupload there hehe…

I remember reading an article related to jquery-fileupload on this site https://blog.detectify.com/2018/12/13/jquery-file-upload-a-tale-of-three-vulnerabilities/ .

Lets try that !

I go to https://subdomain.redacted.com/jquery-fileupload/server/php and found the entry point and it’s shown “files[]”. HMMMMMM…… I have made simple CSRF to try this entry point for uploading webshell.

WOW we can see the response here, there it does show an error message but I think my webshell uploaded successfully. “How we know the directory of files ?” That’s simple,just add one more directory “/files/”. And boom….. it really happened xD.

I immediately reported this to the website developer, They respond it quickly. I was awarded for internship at the company for 1 month and got a certificate appreciation.

That’s all my write up about my hobby and hacking xixixi…See you next time guys and hope you enjoy it.

CONTACT :

TIMELINE :