Class Central is learner-supported. When you buy through links on our site, we may earn an affiliate commission.

YouTube

Finding 0days in Enterprise Web Applications

NahamSec via YouTube

Overview

Explore advanced techniques for discovering zero-day vulnerabilities in enterprise web applications in this conference talk from NahamCon2022. Delve into the intricacies of HCL Digital Experience, IBM Websphere Portal, Lotus Domino, Solarwinds Web Help Desk, and Sitecore's Experience Platform. Learn how to decompile JARs, identify attack surfaces, chain vulnerabilities, and craft exploits for post-auth RCE via directory traversal. Gain insights on variant hunting, super SSRF, and leveraging hardcoded credentials in development and production environments. Master the art of source code analysis, payload crafting, and encryption key retrieval to enhance your offensive security skills.

Syllabus

Intro
What is HCL Digital Experience /IBM Websphere Portal
Decompiling JARS
Finding The Attack Surface
Finding the endpoint . One of the hardest bits of source code analysis when finding bugs through grep is identifying the endpoint that the configfiles/code are triggered by . This one was easy, they were deployed under/wps/
Chaining a Lotus Domino Open Redirect
Variant Hunting • Discovering other occurrences of similar vulnerabilities
Super SSRF
Variant Hunting #2
Chaining the vulnerability through IBM KC
Fail: Another attempt at XXE
Post Auth RCE via Directory Traversal
References
What is Solarwinds Web Help Desk? . Basically a central ticket management system for your enterprise • Connect with Solarwinds Orion
Development Hardcoded Credentials
Production Hardcoded Credentials
What does this let us access? . These credentials let us access a big part of the Spring web app embedded in this software . The most interesting controller for this was found at /helpdesk/WEB-INF
Hibernate Query Routes
Putting it all together
Exploit Writeup
What is Sitecore's Experience Platform?
Grabbing Sitecore Source Code
Mapping out the attack surface
Discovering the vulnerable endpoint . When we investigated some of the files inside the sitecore/hel directory, we following contents
Report.cs
ReportDataSerializer.cs
Crafting a payload
Final RCE Payload
Blob Handler.ashx
Encryption Function
Getting the Master Key
Default Master Key

Taught by

NahamSec

Reviews

Start your review of Finding 0days in Enterprise Web Applications

Never Stop Learning.

Get personalized course recommendations, track subjects and courses with reminders, and more.

Someone learning on their laptop while sitting on the floor.