Good things takes time | Story of my first “valid” critical bug!
2022-7-19 13:15:27 Author: infosecwriteups.com(查看原文) 阅读量:28 收藏

Hello there, I am Krishna Agarwal ( Kr1shna 4garwal ) from India 🇮🇳. An ordinary bug hunter and So called security researcher :)

Let me tell you how I was able to find my first “valid” interesting critical vulnerability on a Vulnerability disclosure programme. I hope you will learn something new from this write-up :)

var domain.tld = target.com

One day I was hunting on a Public Vulnerability disclosure programme, they provides Hall Of Fame for valid submissions. It was a medium scoped target (*.domain.tld). So I started my private recon script for recon (I’m mentioning only 5% of it in this write-up).

Commands (Taken from my private recon script):

note: Medium prints double hyphen in a single line ( — ) so don’t be confuse, it is double hyphen.

subfinder -d domain.tld -all -o .temp/subfinder.txt

sublist3r -d domain.tld -e baidu,yahoo,google,bing,ask,netcraft,threatcrowd,ssl,passivedns -o .temp/sublist3r.txt

findomain -t domain.tld| sort -u | tee -a .temp/findomain.txt

assetfinder –subs-only domain.tld | tee -a .temp/assetfinder.txt

amass enum — passive -d domain.tld -o .temp/amass.txt

got 594 subdomains.

After this I combined all the results and passed it HTTPX

cat .temp/*.txt | sort -u | grep -i domain.tld | tee -a all.txt

cat all.txt| httpx -silent -ports 80,443,3000,8080,8000,8081,8008,8888,8443,9000,9001,9090 | tee -a alive.txt

After HTTPX I got total 684 probed subdomains.

Now I started nuclei with my custom templates in background and moved all the subdomain to my Burp proxy configured browser (In 50 subdomains per window), while visiting the each subdomain I found many 403 subdomains, for bypassing these all shi**y forbidden subdomains I started 4-zero-3 in background, but no luck :(

Other 200 OK subdomains were feature less (No signup, Login, etc) So I left these subdomains for future.

If you notice, I run port scan with HTTPX, I got some 8080,8443,9090 and 8081 ports open, so while checking the subdomains with ports ( subdomains.domain.tld:<PORT>), I found one of the subdomain very interesting because it was running RAVENDB on port 8080 with no authentication :)

What is Raven DB?

RavenDB is an open-source fully ACID document-oriented database written in C#, developed by Hibernating Rhinos Ltd. It is cross-platform, supported on Windows, Linux, and Mac OS. RavenDB stores data as JSON documents and can be deployed in distributed clusters with master-master replication.

In short: RavenDB is an open-source No-SQL Database.

So when I open subdomain.domain.tld:8080 in my browser, I see no authentication on RavenDB, I was able to change settings, Dump full database, View System Configurations, Delete Database (Obviously I don’t have permission to do that).

RavenDB Dashboard

RavenDB Databases

RavenDB settings

I quickly create a Professional detailed report, And Send it to security team :)

later I got Some anonymous FTP, XSS and some common misconfigurations on same target. It is enough for me, So I stopped hunting on that target.

update (12:22 AM, 19 July 2022):

Shodan Dork for finding RavenDB:- http.favicon.hash:442225173

Takeaway: Want to speed up your Nmap Scan? Use this command

nmap 127.0.0.1 -sS -sV -Pn -n — max-rate 1000 — open -p 21 -oN Active_21.txt

Tip: Don’t forgot to scan the commonly open ports like 21,22,3000,8080,8000,8081,8008,8888,8443,9000,9001,9090.

From Infosec Writeups: A lot is coming up in the Infosec every day that it’s hard to keep up with. Join our weekly newsletter to get all the latest Infosec trends in the form of 5 articles, 4 Threads, 3 videos, 2 Github Repos and tools, and 1 job alert for FREE! https://weekly.infosecwriteups.com/


文章来源: https://infosecwriteups.com/story-of-my-first-valid-critical-bug-22029115f8d7?source=rss----7b722bfd1b8d--bug_bounty
如有侵权请联系:admin#unsafe.sh