.png)
2 months ago
41 BOOK THIS SPACE FOR AD
ARTICLE AD
During one of my bug bounty hunting sessions, I came across an interesting vulnerability: CVE-2021–42063. Let me walk you through how I found this bug and explain the steps I followed.
To begin, I always rely on a recon tool that I developed called Ghost Recon. This tool helps me with subdomain enumeration and brute-forcing. Of course, you can do the same process without Ghost Recon. If you’re interested in trying it, you can check it out on GitHub: Ghost Recon.
For this recon phase, I started by running two tools: subfinder and subsleuth. These help in finding and enumerating subdomains efficiently. The commands I used are:
subfinder -d tataplay.com -all -o subfinder.txtsubsleuth -d tataplay.com -w wordlist.txt -o output.txt
Next, I combined the results, removed duplicates, and performed the process multiple times to ensure I didn’t miss any subdomains. The results were sorted and refined into a file of third-level domains. Here’s how I cleaned up the results:
cat * | sort -u | tee -a dup.txtcat dup.txt | rev | cut -d "." -f 1,2,3 | sort -u | rev >> 3rdlevel.txt
subfinder -dL 3rdlevel.txt -o final.txt
subsleuth -l 3rdlevel.txt -w wordlist.txt -o final1.txt
cat * | sort -u | tee -a done.txt
With the recon process done, it was time to move on to port scanning. I used my custom script and tools like naabu for this. Once the ports were scanned, I fed the results into httpx to identify live hosts:
httpx -l ports-withsubs.txt -o live.txtNow, here’s where the magic happens. I installed the CVE-2021–42063 tool from pip, which automates the process of detecting the vulnerability:
pip install CVE-2021-42063pip install yaml #if needed
CVE-2021-42063 --chatid <YourTelegramChatID>
CVE-2021-42063 -i urls.txt -o out.txt
This tool does all the work for you. It scans the provided URLs for the vulnerability, and if it finds any, you get a notification on Telegram instantly. In this case, it flagged the vulnerable URL on partner.tataplay.com.
This vulnerability, CVE-2021–42063, was a reflected XSS (R-XSS) in the SAP Knowledge Warehouse component. Exploiting this allowed an attacker to execute scripts in a user’s browser, potentially stealing sensitive information or hijacking the user’s session.
Tool POC:
In part 2, I will write about the CVE, the core details of the bug, along with POC images.
POC by: @karthithehacker
Mail: contact@karthithehacker.com
Website: https://www.karthithehacker.com/
If you’re interested in our VAPT service, contact us at ceo@cappriciosec.com or contact@cappriciosec.com.
For enrolling my cybersecurity and Bugbounty course,
WhatsApp +91 82709 13635.
Twitter: https://twitter.com/karthithehacker
Instagram: https://www.instagram.com/karthithehacker/
LinkedIn: https://www.linkedin.com/in/karthikeyan--v/
Website: https://www.karthithehacker.com/
Github : https://github.com/karthi-the-hacker/
npmjs: https://www.npmjs.com/~karthithehacker
Youtube: https://www.youtube.com/@karthi_the_hacker
Thank you
Bengali (Bangladesh) · 
English (United States) ·