Shulou(Shulou.com)05/31 Report--

How to use Blind XSS to find the target system internal bill management and firewall login page, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain in detail for you, people with this need can come to learn, I hope you can gain something.

Hello, everyone, the Writeup shared today is that the author found the bill management system and FortiGate firewall management system inside the system through the Blind XSS test of an e-commerce website. The vulnerability is finally defined as the information leakage caused by XSS and won the manufacturer's reward of $1250. Although the loophole is simple, this posture is worth learning. The following is the author's sharing. For reasons of confidentiality, the target website described here is referred to as seller.redacted.com for short.

A hint of vulnerability discovery

At first, in the course of testing seller.redacted.com, I tried various methods but got nothing, and everyone can understand the bitterness. So I tried to change my mind to find a new incision, and this time I wanted to see XSS. I found an interesting login page in the target website. When you enter the wrong credentials in the username and password area and fail to enter, there will be a "unable to log in?" The (Unable to Login?) option button is as follows:

Curiosity prompted me to click on this button, and then a feedback box popped up with information about the type of problem I could not log in, my registered email address, my cell phone number and the description of the problem. After I filled them out, I filled in my Blind XSS Payload in the final problem description area to see what would happen. As follows:

Get the login page of the internal bill management system

By constantly trying to change Blind XSS Payload, an hour later, through the above information feedback mechanism that cannot be logged in, I received a notification message from the target system in my mailbox, which is "XSS payload fired on something.private.redacted.com/#app/secondLevelLead/my/incident/ [ticket] / ticketjourny":

In other words, there is a XSS vulnerability in that problem description area, and from the notification message, I got some ticket management-like server http://something.private.redacted.com/#app/secondLevelLead/my/incident/[ticket]/ticketjourny of the target system, but unfortunately, I can't access it effectively. Why? After research, I found that this is actually an internal management system, which can only be accessed by internal employees or through VPN.

Get the login page of the system's internal FortiGate firewall

Well, it doesn't matter if you can't access it, but from the contents of the above notification message, I found another IP address, which is a FortiGate firewall login page. FortiGate is a next-generation firewall NGFW system.

Try it with a simple username and password combination, admin/admin, wow, you can log in successfully!

After logging in, I took control of the firewall, and the functional changes in it were completely out of the question.

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.