Play all

Intro

What is HCL Digital Experience /IBM Websphere Portal

Decompiling JARS

Finding The Attack Surface

Finding the endpoint . One of the hardest bits of source code analysis when finding bugs through grep is identifying the endpoint that the configfiles/code are triggered by . This one was easy, they …

Chaining a Lotus Domino Open Redirect

Variant Hunting • Discovering other occurrences of similar vulnerabilities

Super SSRF

Variant Hunting #2

Chaining the vulnerability through IBM KC

Fail: Another attempt at XXE

Post Auth RCE via Directory Traversal

References

What is Solarwinds Web Help Desk? . Basically a central ticket management system for your enterprise • Connect with Solarwinds Orion

Development Hardcoded Credentials

Production Hardcoded Credentials

What does this let us access? . These credentials let us access a big part of the Spring web app embedded in this software . The most interesting controller for this was found at /helpdesk/WEB-INF

Hibernate Query Routes

Putting it all together

Exploit Writeup

What is Sitecore's Experience Platform?

Grabbing Sitecore Source Code

Mapping out the attack surface

Discovering the vulnerable endpoint . When we investigated some of the files inside the sitecore/hel directory, we following contents

Report.cs

ReportDataSerializer.cs

Crafting a payload

Final RCE Payload

Blob Handler.ashx

Encryption Function

Getting the Master Key

Default Master Key

Description:

Explore advanced techniques for discovering zero-day vulnerabilities in enterprise web applications in this conference talk from NahamCon2022. Delve into the intricacies of HCL Digital Experience, IBM Websphere Portal, Lotus Domino, Solarwinds Web Help Desk, and Sitecore's Experience Platform. Learn how to decompile JARs, identify attack surfaces, chain vulnerabilities, and craft exploits for post-auth RCE via directory traversal. Gain insights on variant hunting, super SSRF, and leveraging hardcoded credentials in development and production environments. Master the art of source code analysis, payload crafting, and encryption key retrieval to enhance your offensive security skills.

Finding 0days in Enterprise Web Applications

NahamSec

Add to list

#Conference Talks #NahamCon #Information Security (InfoSec) #Ethical Hacking #Server-Side Request Forgery (SSRF) #XML External Entity (XXE) Injection #Programming #Web Development #Web Application Security #Cybersecurity #Zero-Day Vulnerabilities #Attack Surface Analysis