Skip to main content

Posts

Showing posts from September, 2017

Exploiting a Single Request for Multiple Vulnerabilities

Hello Everyone,

This is my first blog post, it's about multiple security vulnerabilities found from a single request on a private program recently.

The vulnerabilities found are simple Stored and Reflected XSS, SSRF and Command Injection.

But since I have never written any pocs before, so just wanted to write about this one.

So let's call the website as privatesite.com

After login, the first thing I saw was a feature to upload images.

So started testing the uploader functionality, like directly uploading PHP, SWF, SVG, etc., but nothing worked as the uploader looked secured from my end.

Then I noticed there is a feature to crop the image, the post request of this feature looked kind of interesting.

1. SSRF
There was a parameter http_path which had the image URL, so I fired up a socket listening to a port on my server, and in that http_path parameter I put my server's IP and port, and the socket received the connection.

So an external SSRF was confirmed.

2. Stored XSS
On t…