Hey Guys! Me Back with a New Post This One is about an Authentication Bypass Vulnerability in one of the subdomains of https://zol.co.zw/ ZOL Zimbabwe and Then got an XSS following with an SQLi in that Control Panel. So The Main Focus of this Blog Post will be on How i got access to the CP and then How i Got the XSS Following the SQLi
So fast Forward I got a Subdomain of the site that was http://psizimll2.zol.co.zw/ and the Subdomain was Showing the Default IIS7 Page Like in the Picture Below
So At First I started testing this Subdomain for 2 Of the Most Common issues Found in IIS7
1) Microsoft IIS Tilde Vulnerability (And the Site was Vulnerable to this issue)
2) HTTP.sys DOS & possible RCE
but after testing these Common Issues on the subdomain i got nothing and decided to dig deeper. So i searched the subdomain on Google to see if there is any information about this particular subdomain (Most of the time a simple google search gives you some files or folders ) But negative i got nothing i did go through virustotal & Some other webs like web archive to get some information but nothing.
After this the next phase of my testing was to use DirBuster & DirScanner to test Further for any possible Files/Folders and after a while i got Some URLs Like
The 2 Pages test.php and info.php were both leaking Some Information Through phpinfo(); Pages
So At this Point i had 2 Issues in that Subdomain….
Now When Ever I went to the URL http://psizimll2.zol.co.zw/cp.php i got redirected to the main page of the subdomain that was http://psizimll2.zol.co.zw/ So as Many of you guys know about some redirect based techniques, Like This NoRedirect one i added the URL cp.php to the FireFox Extension called NoRedirect and Then When i went to the URL
http://psizimll2.zol.co.zw/cp.php it did;t redirected me to
http://psizimll2.zol.co.zw/ and i had Access to
http://psizimll2.zol.co.zw/cp.php that looked like a Control Panel for some sort of webapp that have some users data in it.
Now I searched for Some Data and it was a User Information Database of some sort while searching In It I got another Page that was http://psizimll2.zol.co.zw/dnpc.php and this Page got data of users function where i can search user data from particular dates while searching a POST request was send to the file /dnpc.php with post data as
Submit2=Go&end_dt1&start_dt=10 And I saw that the anything that we add to the perimeters end_dt or start_dt was reflecting back in the page under a <th></th> tag so i added a simple Image XSS Payload and it was reflected to me under the <th></th> tag and the XSS payload was executed
I would Like to Mention That due to some error the Search Input was Saved on this Page so It became a Stored XSS 🤣
Now It was getting Bored So i Decided to Write the Report to the team and suddenly decided to look for One last issue that can make the report look better
So at the same Endpoints in the same POST request as Above i simply changed searched for 1′ Submit2=Go&end_dt1&start_dt=10 as I started looking for an SQL Injection Issue aND boom the Response for this request gave me an Error
Could not get htccc data: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ”’ at line 1
So I did Exploit this issue to Get the Basic Info and Tables and then i was Convinced i should Stop Further Tests on this Subdomain and Report the issue Furthermore the ZOL team Patched these Issues by Deleting files and Blocking access to the Subdomain 👏
Thanks for Reading this guys 🙂