,or how reading the html code w/ care lead to rce through file upload

Javascript. Used practically everywhere, even in your washing machine (this is a joke, I think (: ) And if you really want to know how unavoidable it is just turn off js globally using either extension or manually, and try using any of the popular websites — good luck with that :) I mean, I had js disabled globally some time ago, and I have obvious websites whitelisted for js, which means that every now and again I find myself visiting some website that heavily relies on js, to the point where it’s impossible to read its content without enabling js. But, it has lead me to accessing various admin panels without logging in, if the website relied on js to determine if you should be redirected to the login screen or admin panel (which in most cases is just access to the design/layout of the admin panel without any functionality that relies on authenticated access), but this article is about the recent bug hunt session where I found a functional file upload area that was hidden by the devs instead of being fully removed or better protected. It does require authenticated access though, but even as an authenticated user, the js code verifies if you’re on that page and if so for some reason dev(s) decided to hide the file upload form. Why? Perhaps they knew that a bug was present? Or it was meant to be under construction/patching process?

Step 1 — Disable js

This can be done either using burp’s Proxy Options, there is the area right above the Match and Replace:

Or you can go via firefox customization like this:

Or various extensions which I haven’t tested, I like to keep things simple, and for some reason I found this to be simpler (:

Step 2 — How to browse the js website without js

This part can be tedious. In the case of the target website, I had to combine going back and forth with disabling js/enabling js/refreshing the page to get to the desired hidden stuff, and using a separate browser with js enabled, which made it convenient to just copy/paste the paths from the address bar.

Step 3 — The Actual Bug

Obviously, removing js and seeing an upload form isn’t a bug on its own necessarily. But, if you can upload a reverse shell, or a regular file but with xss payload in its name that gets reflected without filtering the appropriate symbols/html tags, then you have a valid bug to report. In this case the bug was simple uploading of a reverse shell (plenty of tutorials/walkthrough/writeups regarding reverse shell uploading).

The actual uploading didn’t entail anything special. There was only one issue and that would be csrf tokens relied on js. Which meant having to manually check csrf token (luckily it didn’t change throughout session) and then add it to the request using burp repeater. That’s the only thing “special” about this which is probably why the form was hidden. Perhaps they were working on patching it or maybe they had some different use in mind, or both. Either way, they should have just removed the block of code in question from the publicly facing website until they were done. Go figure.