Completed
What does this let us access? . These credentials let us access a big part of the Spring web app embedded in this software . The most interesting controller for this was found at /helpdesk/WEB-INF
Class Central Classrooms beta
YouTube videos curated by Class Central.
Classroom Contents
Finding 0days in Enterprise Web Applications
Automatically move to the next video in the Classroom when playback concludes
- 1 Intro
- 2 What is HCL Digital Experience /IBM Websphere Portal
- 3 Decompiling JARS
- 4 Finding The Attack Surface
- 5 Finding the endpoint . One of the hardest bits of source code analysis when finding bugs through grep is identifying the endpoint that the configfiles/code are triggered by . This one was easy, they …
- 6 Chaining a Lotus Domino Open Redirect
- 7 Variant Hunting • Discovering other occurrences of similar vulnerabilities
- 8 Super SSRF
- 9 Variant Hunting #2
- 10 Chaining the vulnerability through IBM KC
- 11 Fail: Another attempt at XXE
- 12 Post Auth RCE via Directory Traversal
- 13 References
- 14 What is Solarwinds Web Help Desk? . Basically a central ticket management system for your enterprise • Connect with Solarwinds Orion
- 15 Development Hardcoded Credentials
- 16 Production Hardcoded Credentials
- 17 What does this let us access? . These credentials let us access a big part of the Spring web app embedded in this software . The most interesting controller for this was found at /helpdesk/WEB-INF
- 18 Hibernate Query Routes
- 19 Putting it all together
- 20 Exploit Writeup
- 21 What is Sitecore's Experience Platform?
- 22 Grabbing Sitecore Source Code
- 23 Mapping out the attack surface
- 24 Discovering the vulnerable endpoint . When we investigated some of the files inside the sitecore/hel directory, we following contents
- 25 Report.cs
- 26 ReportDataSerializer.cs
- 27 Crafting a payload
- 28 Final RCE Payload
- 29 Blob Handler.ashx
- 30 Encryption Function
- 31 Getting the Master Key
- 32 Default Master Key