Breaking Application Logic To RCE

Hello Friends, My name is Ranjeet Singh and today I am going to share one of the interesting case of RCE.

I have learn hacking by reading blogs and this is time I want to give back to our community so because of that I am writing this blog.So whenever I will learn/found/watch something interesting then I will share so we can learn from each other.

So those who don’t know about RCE they can just google and learn more about RCE. Here I am just going to explain what was the application’s logic and how we have bypassed and exploited that.

So in that web application there was an functionality to upload image/logo.

IMAGE UPLOAD FUNCTIONALITY

And whenever we try to upload any image/shell/any file it first validates that we have uploaded a valid image or something else(malicious file).

It checks these things by first sending request to this endpoint : /api/FileScanner/FileScan

Validating we have uploaded image or some malicious file

But after that when we click on save then it doesn’t validate that we have tampered request or we have uploaded the same file that above mentioned endpoint has checked.

So first upload valid image then after that click on save and when another request goes then tamper request and upload our shell.

SAVE IMAGE BUTTON IN RIGHT SIDE AT THE BOTTOM

So we have traversed path and uploaded our shell.

Shell Uploaded

Then open path of shell and name that we have used to upload shell and after that executes command whatever you want.

SHELL

Executes Command

SUMMARY :

So when we upload image 2 request goes and in first request it checks that we have uploaded image or any malicious file. And after that save button appears and when we click on save second request goes and here it is not checking that we have uploaded malicious file or valid image. So this was the logic.

Now for breaking application logic first upload valid image and then click on save then in second request tamper and upload malicious file.

If you have any doubt or I have done any mistake then please notify me so we can help each other by learning & sharing knowledge:)

TWTTER ID : https://twitter.com/geekboyranjeet

INSTAGRAM ID : https://www.instagram.com/geekb0yranjeet/

THANK YOU :)