Hello, infosec fam

In this write-up, I’ll share the thrilling tale of how I earned $2500 within a mere 5 minutes of recon in a private bug bounty program. As a dedicated security researcher, my passion lies in breaking security barriers and ethically reporting my findings to organizations. While I typically focus on account takeover-based vulnerabilities, this particular engagement presented a unique challenge — no apparent authentication actions. Undeterred, I decided to shift my focus towards Remote Code Execution (RCE).

During my recon phase, I fired up the Burp Suite tool. While spidering the target application, I stumbled upon files with the extensions “.do, action” and “.jsp.” This discovery immediately caught my attention. To gather further insights into the backend technology, I looked Wappalyzer extension. Its analysis indicated the potential utilization of Apache Struts 2 — an infamous technology associated with backend development.

Encouraged by this revelation, I resolved to search for an OGNL (Object-Graph Navigation Language) injection vulnerability, known as CVE-2017–5638. Exploiting this vulnerability could potentially allow an attacker to seize server-level control through an RCE bug.

To automate the scanning process, I followed these steps:

1. Set the scope in Burp Suite, clearly defining the boundaries of the target application.

2. Navigate to the Spider tab and inject OGNL payloads into the specified content types.

3. Initiate the spidering process to systematically scan the target application.

4. If the application is vulnerable, a distinctive response header will be observed, featuring the value “karthithehacker.”

By automating this scanning procedure, I was able to swiftly identify the critical vulnerability, CVE-2017–5638, with exceptional efficiency, all within a mere 5 minutes of recon.

Poc Image

Payloads i Used : https://github.com/karthi-the-hacker/PayloadAllTheThings/tree/main

Conclusion:

CVE-2017–5638 exposed the critical nature of remote code execution vulnerabilities and the potential consequences organizations face when security flaws are not promptly addressed. This incident urged organizations to adopt stringent security measures, prioritize patch management, and foster a culture of proactive vulnerability management.

As security professionals, it is crucial to stay vigilant, keep abreast of emerging vulnerabilities, and collaborate with the community to foster a more secure digital landscape.

Whats next :

Soon, I will be presenting an in-depth exploration of the CVE-2017–5638 vulnerability, where I will demonstrate the process of exploiting it to gain a powerful reverse shell. Stay tuned for an exciting writeup

Keep an eye out for the upcoming writeup and join me in the quest for a more secure digital world.

https://medium.com/bugbountywriteup/from-payload-to-300-bounty-a-story-of-crlf-injection-and-responsible-disclosure-on-hackerone-eeff74aff422

Twitter: https://twitter.com/karthithehacker

Instagram: https://www.instagram.com/karthithehacker/

LinkedIn: https://www.linkedin.com/in/karthikeyan--v/

Website: https://www.karthithehacker.com/

Github : https://github.com/karthi-the-hacker/

npmjs: https://www.npmjs.com/~karthithehacker

Youtube: https://www.youtube.com/karthithehacker

Thank you

Karthikeyan.V