Hello everyone, I recently discovered an interesting vulnerability. The discovery process involved collecting small clues and piecing them together until a security flaw became clear.
I'll share my journey and methodology behind discovering this vulnerability. I hope you find it insightful and useful.
- First of all, I just doing a directory recon using FFUF in an API url and found something interesting in the response.
- I found that there was a difference in response, 200 and 301. After some of checking, i realize that response 200 mean a valid path file in server and 301 mean a valid path folder in server.
- When i put the the valid path file in my burp repeater, it will show the contents of the file in the response which is basicaly local file inclusion. Then I check it with other valid path file in linux server such as etc/passwd and BOOM, I can read the content of the etc/passwd file
4. Didn't stop there, I searched deeper to find other sensitive files on the server. I just continuously fuzzing when i found 301 which is valid folder path
5. During my recon, i found that the application using Node JS and Sequelize (fortunately, i used that for my college project LOL). As i know, there's a feature to generate default user account called seed
6. I found it difficult to find the seed file name because the file name was random with numbers
7. In this difficulty, I found a .git/index file which gave me an idea, maybe I could find the name of the seed file there
8. I found the user seed name file and goes to burp repeater to try that and managed to get the valid admin credentials
While the journey wasn't particularly long, discovering this vulnerability was a rewarding experience for me.
I'm not entirely sure how the LFI vulnerability ended up in the application, but I suspect it was used during development to read responses and was accidentally left behind.
Thank you for reading this article.