We’ve been on this pandemic since March and as quickly because the pandemic started I modified into as quickly as having heaps of free time, And I need to expend that time correctly, So I’ve determined to find out the OSWE certification and I executed the examination on eight of August, after that, I took a couple of weeks to get well from the OSWE examination, then throughout the med of September, I acknowledged what? I did not register my title throughout the Fb hall of fame for 2020 as I attain yearly. ample, let’s attain it.
I by no means came upon a vulnerability on one among Fb subdomains, and I took a behold at some writeups and I seen one writeup in a single in all Fb subdomains which It purchased all my consideration It modified into as quickly as an enormous write up it's seemingly you may presumably properly moreover attempt it out [HTML to PDF converter bug leads to RCE in Facebook server.]
So after learning this writeup now I took a sincere recommendation about what variety of vulnerabilities I may maybe presumably properly acquire on this type of large net app.
So my foremost goal modified into as quickly as https://appropriate.tapprd.thefacebook.com and my aim modified into as quickly as RCE or one thing the identical.
I ran some fuzzing instruments sincere to realize the plump endpoints of this net app and I took a 2 hours nap and watched a movie, Then I purchased assist to behold the outcomes ample I purchased some sincere outcomes.
Dirs came upon with a 403 response:
Dirs came upon with a 403 response: /tapprd/ /tapprd/clarify/ /tapprd/corporations and merchandise/ /tapprd/Declare materials/ /tapprd/api/ /tapprd/Services/ /tapprd/temp/ /tapprd/logs/ /tapprd/logs/portal/ /tapprd/logs/api/ /tapprd/certificates/ /tapprd/logs/auth/ /tapprd/logs/Portal/ /tapprd/API/ /tapprd/webroot/ /tapprd/logs/API/ /tapprd/certificates/sso/ /tapprd/callback/ /tapprd/logs/callback/ /tapprd/Webroot/ /tapprd/certificates/dkim/ /tapprd/SERVICES/
I seen a system to bypass the redirection into the Login SSO, https://appropriate.tapprd.thefacebook.com/tapprd/portal/authentication/login and after inspecting the login web page, I seen this endpoint
I acknowledged ample, this is able to presumably properly be given that electronic mail is flawed or one thing? let’s acquire an admin electronic mail, Then I started to put random emails in a guidelines to develop a wordlist and after that, I extinct the intruder and I acknowledged let’s keep in mind what is going on to occur.
I purchased assist after a couple of hours I came upon the the identical error outcomes plus one diversified consequence, This one modified into as quickly as 302 redirect to the login web page, I acknowledged wow, I’ll be damned if this labored Haha.
So let’s acquire assist to behold what I’ve accomplished proper right here, I despatched random requests the expend of intruder with a CSRF token and random emails with a recent password to this endpoint /savepassword
and one among the outcomes modified into as quickly as 302 redirect.
Now I went to the login web page and I place the login electronic mail and the recent password and BOOM I logged in Successfully into the making use of and I will be capable of enter the admin panel 🙂
I learn the hacker memoir who came upon RCE ahead of the expend of the PDF and so they gave him a reward of 1000$ solely so I acknowledged ample, let’s develop a sincere Affect proper right here and an appropriate exploit.
I wrote a transient and simple script to take advantage of this vulnerability with python you construct the electronic message and the recent password and the script will alternate the password.
The Affect proper right here modified into as quickly as so excessive given that Fb staff extinct to login with their house of enterprise accounts, Which imply they’re the expend of their Fb accounts entry token, and presumably if one different attacker well-known to take advantage of this it would maybe presumably properly give him the flexibleness to selection entry to some Fb staff accounts .. and loads of others
Then I reported the vulnerability and the memoir triaged.
And on 2 of October, I purchased a bounty of 7500$
I beloved exploiting this vulnerability so nice, so I acknowledged that’s not ample, it's a outdated sort script! let’s dig an rising number of.