Finding 0days in Enterprise Web Applications

Intro
What is HCL Digital Experience /IBM Websphere Portal
Decompiling JARS
Finding The Attack Surface
Finding the endpoint . One of the hardest bits of source code analysis when finding bugs through grep is identifying the endpoint that the configfiles/code are triggered by . This one was easy, they were deployed under/wps/
Chaining a Lotus Domino Open Redirect
Variant Hunting • Discovering other occurrences of similar vulnerabilities
Super SSRF
Variant Hunting #2
Chaining the vulnerability through IBM KC
Fail: Another attempt at XXE
Post Auth RCE via Directory Traversal
References
What is Solarwinds Web Help Desk? . Basically a central ticket management system for your enterprise • Connect with Solarwinds Orion
Development Hardcoded Credentials
Production Hardcoded Credentials
What does this let us access? . These credentials let us access a big part of the Spring web app embedded in this software . The most interesting controller for this was found at /helpdesk/WEB-INF
Hibernate Query Routes
Putting it all together
Exploit Writeup
What is Sitecore's Experience Platform?
Grabbing Sitecore Source Code
Mapping out the attack surface
Discovering the vulnerable endpoint . When we investigated some of the files inside the sitecore/hel directory, we following contents
Report.cs
ReportDataSerializer.cs
Crafting a payload
Final RCE Payload
Blob Handler.ashx
Encryption Function
Getting the Master Key
Default Master Key