One IP led to 4 bugs made the company delete the domain

Kalawy
4 min readApr 4, 2024

--

الحمدلله لا ابغي به بدلا
حمدا يبَلّغ من رضوانه الأملا
ثم الصلاة على خير الورى وعلى
ساداتنا آله وصحبه الفضلا

Hey folks, I’ll explain how I got my first 3 paid bugs with Ahmed Ghazy.

before we go, our target is “x.target.com”, as an alias ;)

after hours of recon with:

  • amass
  • Security Trails
  • httpx
  • Dirsearch

I started to enumerate the IPs with:

while read subdomain;
do host $subdomain;
done < subdomains.txt

As you know, the host command line utility performs simple DNS lookup, so resulted IP may belongs to a proxy or a third party. Therefore, it’s crucial to verify whether the IP is related to your target using (Whois, SSL Checker, etc) , or go deeper and search for the IP with other techniques :)
fortunately for our target it works well and give real IPs

I used to scan each IP with NMAP, specifically with the Vuln script:

while read ip;
do nmap -Pn $ip -p443,80,8080,8443,8000 --script=vuln;
done < ips.txt

vulnis a category in NSE that contains useful scripts to check for common vulnerabilities

this gives me a result that says /core/packages/: Directory Listing

As a beginner who doesn’t know whether it should be reported or not, I was like:

So it’s time for a friend who will know for sure.

First, He told me that “directory listing vulnerability should be reported since there is sensitive data”.

We spent hours exploring the content and these appear to be sensitive files.

While exploring, we got another directory vulnerable to the same bug. We started by reporting these two bugs and decided to go deeper and view the endpoints.

All endpoints weren’t worthy unless one /core/xpdo/tools/schema/upgrade-mysql-1.1.php which appears to be juicy.

viewing this endpoint for first-time results:

hmmm,

what if adding pkg get-parameter:

the same message appears but with other parameters, …

it works with the pkg parameter reflected, so it’s <script>alert(“Xss_by_wego_1337”);</script> time.

at this point, Ahmed Ghazy with the mindset of a real hacker decided to search with these files on GitHub in the hope of finding the source code.

As you expected, he succeeded:

after viewing the source code of upgrade-mysql-1.1.php , he found a debug parameter which exposes some sensitive data like database username and password, filesystem, and so on.

Do you think that he stopped here?

he started to search for the same bug in all subdomains and found the same bugs on the main domain “target.com”.

at the end of the day, we submitted 4 reports:

  • Debug Sensitive Data Exposure (Medium)
  • 4 XSS (Medium), but we screwed up by submitting all in the same report
  • 2 Directory listing (Medium), unfortunately, one of them was tagged as a duplicate to another.

After our submissions, the company removed the domain from the scope, later they deleted the whole domain, and all IPs are down now.

Timeline:

XSS

  • 21 September 2023: Submitted.
  • 22 September 2023: severity changed to medium.
  • 19 October 2023: Marked as Duplicate (it wasn’t btw).
  • 23 October 2023: Marked as triaged.
  • 25 October 2023: Bounty recieved.
  • 25 October 2023: request a meditation as we submitted 4 XSS and paid for one.
  • until now: Mediation is Running 😆

Sensitive Data Exposure

  • 21 September 2023: Submitted.
  • 27 September 2023: tagged as Triaged
  • 4 October 2023: Bounty received.

Directory Listing

  • 21 September 2023: Submitted.
  • 2 October 2023: Marked as triaged.
  • 4 October 2023: Bounty recieved.

--

--

Responses (2)