Remote Command Execution in a Bank Server

Remote Command Execution in a Bank Server
A simple pictorial representation of the entire flow.

Technical Deep Dive👨‍💻

Discovery

It was a grey box security assessment. There was a functionality that asked the user for the Customer ID and based on the ID, it generated a hyperlink to download a statement PDF. The user could download a PDF file by clicking on that download link. See the below screenshot of the PDF download request in Burp Suite.

Remote Command Execution in a Bank Server
Remote Command Execution in a Bank Server
Remote Command Execution in a Bank Server
Remote Command Execution in a Bank Server
Remote Command Execution in a Bank Server
Remote Command Execution in a Bank Server
Remote Command Execution in a Bank Server
A practical example showing the difference between LFI and AFR

Analysis and further exploration 🕵️‍♂️🔍

I have already crawled the application. I copied the names of all JSP pages within the target domain using the Target Analyzer within the Engagement Tools of the Burp Suite proxy. Configured the intruder in the Burp Suite proxy, and set the attack point to the value of the filename parameter.

Remote Command Execution in a Bank Server
Remote Command Execution in a Bank Server
Remote Command Execution in a Bank Server
Remote Command Execution in a Bank Server
Source code snippet of cr_master_invoice.jsp
Remote Command Execution in a Bank Server
Remote Command Execution in a Bank Server
Remote Command Execution in a Bank Server
Remote Command Execution in a Bank Server
cr_upload_bak11.jsp — Code snippet 1
Remote Command Execution in a Bank Server
cr_upload_bak11.jsp — Code snippet 2

Exploitation 🥷

I quickly created an HTML file upload page and specified a vulnerable endpoint in the action attribute of the form tag.

<!DOCTYPE html>
<html>
    <body>
    <form action="https://[REDACTED].com/grcdm/portal/content/ext/framework/cr_upload_bak11.jsp" method="POST" enctype="multipart/form-data">
      <input type="file" name="fileToUpload" />
      <input type="submit" value="Upload file" />
    </form>
    </body>
</html>
Remote Command Execution in a Bank Server
Remote Command Execution in a Bank Server
win3zz.jsp — A simple Java web shell (Strictly for learning purposes only, do not misuse it)
Remote Command Execution in a Bank Server
Remote Command Execution in a Bank Server
COMMAND: cat /etc/*-release
Remote Command Execution in a Bank Server
COMMAND: uname -a
  1. Extract lots of financial data and customer-sensitive data
  2. Compromise other interconnected devices
  3. Download all files including some SSH keys and other secrets
  4. Extract environment variables that may contain AWS secrets
  5. Elevate privileges to access other user accounts on the system
  6. Scan internal network
  7. Place a backdoor to retain access to systems even after the bug Fixed
  8. Launch a distributed denial of service (DDoS) attack
  9. Read website configuration files, and takeover databases
  10. Dump the source code of the entire application

Conclusion

The server was poorly configured. I discovered over 100 bugs including several critical severity issues. I believe that if more than 50 medium bugs are found in the application, they should not be fixed, rather the application should be rebuilt. 😉 I advised them to redesign the entire application with security in mind, the application is completely down now. They immediately took appropriate steps.

Who am I?

To briefly introduce myself, my name is Bipin Jitiya and I am the founder of Cuberk solutions.

 

 

原文始发于Bipin Jitiya:Remote Command Execution in a Bank Server

版权声明:admin 发表于 2022年11月21日 下午4:45。
转载请注明:Remote Command Execution in a Bank Server | CTF导航

相关文章

暂无评论

暂无评论...