MANGOBAAZ HACKED | XSS TO CREDENTIALS EXPOSURE TO PWN




Vulnerabilities identified : XSS , IMPROPER ERROR HANDLING


hey folks! hope y'all are fine, i recently got access to a paki blog @mangobaaz   and here is the writeup how i was able to hack into.

INFORMATION GATHERING :

while information gathering i came across to a website "hungerist.com" which was owned by mangobaaz and the signup page captured my antention so i selected it to peneterate.



IDENTIFYING VULNERABILITY :

i added  the xss payload in the NAME Field :
 <script>alert("XSS BY HX01);</script>  
and BOOM! XSSED :


since i was trying to steal  cookies  i tried another payload  :

    <iframe src=" jaVasCript:/*-/*`/*\`/*&#039;/*&quot;/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//&lt;/stYle/&lt;/titLe/&lt;/teXtarEa/&lt;/scRipt/--!&gt;\x3csVg/&lt;sVg/oNloAd=alert()//&gt;\x3e "></iframe>
an xss didn't triggered but an error did:


since it was improper error handling it leaked some credentials :D including MYSQL,AWS,FB INSTANT ARTICLE,ALGOLIA API KEYS,PUSHER API KEYS,SMTP CREDS  :



EXPLOITATION:

AWS BUCKETS:

since i got access to aws keys i tried checking out what was there &foundout some buckets above all there was cdn.mangobaaz.com :D :


to see what was in the cdn.mangobaaz.com :

since it has wp-content&includes hosted the attacker could have added keylogs in the scripts which could have also gain him access to the wp admin panel and server access from adminpanel.however my motive was just to test the web i only stamped the bucket at cdn.mangobaaz.com/wp-includes/js/manifest.txt since the bug is patched they removed it but could be seen from archive  https://web.archive.org/web/20180415124925/cdn.mangobaaz.com/wp-includes/js/manifest.txt :

SMTP :

i tried sending email and was successfull from sent creds an attacker could phish with this or could do alot of things:


FB INSTANT ARTICLE KEY :

from the key  i was able to generate an access token :

since the enough exploitation was done i reported em .

TIMELINE:

  • NOTIFICATION SENT IF THEY HAVE BUG BOUNTY PROGRAM @15 APRIL 2018
  • RECEIVED REPLY @16 APRIL 2018
  • REPORT SENT @16 APRIL 2018
  • BUG PATCHED @18 APRIL 2018
  • ASKED FOR IF THERE'S ANY UPDATE ON BOUNTY @18 APRIL 2018 
  • They Replied : "Thanks for the suggestions. Currently we don’t have bounty setup for bugs being reported but we appreciate your effort in letting us know.

    -- 

    Best,
    Daniyal Shahid
    Director Engineering | MangoBaaz"
  • NO ACKNOWLEGMENT




Comments

  1. nice write up bro <3
    which is that application used in 2nd and 3rd screenshot?

    ReplyDelete

Post a Comment

Popular posts from this blog

UBISOFT | BLIND XSS TO CUSTOMER SUPPORT PANEL TAKEOVER

Recon To Admin Creditionals Disclosure