1
00:00:01,680 --> 00:00:03,900
Hello, everyone, and welcome to the Swedo.

2
00:00:04,710 --> 00:00:11,790
So you're there is an awesome CV, which is an odyssey even Lability, which is identified into a party

3
00:00:11,790 --> 00:00:12,330
software.

4
00:00:12,960 --> 00:00:21,000
So it is identified into a party, you know, me software, which is basically a pretty odd RC one traveling.

5
00:00:21,390 --> 00:00:28,650
Now, this one liability has been assigned a CV as a score of N, which is critical.

6
00:00:29,310 --> 00:00:31,140
Now, this is because of.

7
00:00:32,360 --> 00:00:39,410
The complete compromise of, you know, means services and confidentiality, integrity and availability,

8
00:00:39,620 --> 00:00:47,390
in addition to allowing the access to underlying operating system, which means basically any unauthenticated

9
00:00:47,570 --> 00:00:55,730
attacker can execute commands onto this Apache software and execute malicious commands.

10
00:00:56,450 --> 00:01:03,410
Now, this basically compromises the CIA tried and you did, which the CBSA school has been assigned

11
00:01:03,410 --> 00:01:05,960
as ten point zero, which is critical.

12
00:01:06,500 --> 00:01:06,950
All right.

13
00:01:06,950 --> 00:01:10,370
So let's quickly see what is this one lability.

14
00:01:11,090 --> 00:01:18,800
So this one's ability lies in sending a specially crafted post request to the endpoint, which is context.

15
00:01:18,800 --> 00:01:19,940
Dot Tewson.

16
00:01:20,510 --> 00:01:25,720
And you can see over here, this is the body which has been sent and into the body.

17
00:01:26,150 --> 00:01:29,150
You can see there is a runtime not get runtime.

18
00:01:29,360 --> 00:01:36,910
Don't execute your any goman that U.S. will be executed onto the target of a Sudworth.

19
00:01:37,160 --> 00:01:42,800
So you we are basically going to create an empty file using the command patch into the directive, which

20
00:01:42,800 --> 00:01:45,820
is temp and the file is PEOC.

21
00:01:46,010 --> 00:01:46,400
All right.

22
00:01:47,180 --> 00:01:54,170
One lability, number two, the same pre autarky venerability is being assigned, but through a different

23
00:01:54,170 --> 00:01:54,530
way.

24
00:01:55,440 --> 00:02:03,090
And here you can see the researcher is able to execute the same command as you can see over here, which

25
00:02:03,090 --> 00:02:11,460
is touch, slash, slash Pewsey within the payload may look like scary, but nothing fancy is happening

26
00:02:11,460 --> 00:02:12,960
over here with the game.

27
00:02:12,990 --> 00:02:19,890
The same thing is being done, which is not get runtime ordered to execute the command, which is touch

28
00:02:19,890 --> 00:02:22,530
to create a blank file into the temp directory.

29
00:02:23,830 --> 00:02:25,880
All right, so I hope you guys understood this.

30
00:02:25,900 --> 00:02:32,520
Now let us try to see some more public policies that started coming up into the wild.

31
00:02:33,040 --> 00:02:34,690
So first, see or hear.

32
00:02:34,870 --> 00:02:38,860
So again, OCB 2020 one three nine four two pillared.

33
00:02:39,880 --> 00:02:48,360
You can see the researcher is able to craft his own payload wherein he is trying to open a calculator.

34
00:02:49,240 --> 00:02:53,440
And what happens if I execute this command?

35
00:02:54,540 --> 00:02:58,260
You can see a calculator successfully gets popped up.

36
00:02:58,660 --> 00:02:59,060
All right.

37
00:02:59,710 --> 00:03:06,550
So this means the attacker is able to successfully execute commands on to the underlying target operating

38
00:03:06,550 --> 00:03:07,000
system.

39
00:03:07,540 --> 00:03:13,310
Let's have a look at the PUC, which has been released by the original finder, our original author.

40
00:03:14,590 --> 00:03:17,530
So the first U.S. agency HDB request.

41
00:03:17,560 --> 00:03:20,590
So this is the HDB request which has been signed.

42
00:03:20,860 --> 00:03:27,520
So let's copy this and let's send the same as TDB request to a target, which I have identified.

43
00:03:27,940 --> 00:03:29,100
So let's go over here.

44
00:03:31,280 --> 00:03:39,650
All right, so I'm going to replace the control here and you can see this is the county lawyer, so

45
00:03:39,650 --> 00:03:43,220
let me just remove the spot and let me hit send.

46
00:03:43,670 --> 00:03:47,320
And you can see I'm successfully able to get a two hundred, OK?

47
00:03:47,690 --> 00:03:49,300
And this is the output button.

48
00:03:49,310 --> 00:03:56,210
You can see the command that I have executed is genome calculator, which means the calculator application

49
00:03:56,210 --> 00:03:59,000
must have opened onto the target server.

50
00:03:59,000 --> 00:04:05,090
And you can see the couple of parameters are available into the response body, which is PROFILET,

51
00:04:05,550 --> 00:04:09,800
S.A.T. profile properties, Shoshan properties, etc..

52
00:04:10,370 --> 00:04:12,620
This confirms the target is one.

53
00:04:13,160 --> 00:04:18,950
If the target gives the error and does not give this output into the response, which means it is not

54
00:04:18,950 --> 00:04:19,420
vulnerable.

55
00:04:19,730 --> 00:04:26,240
But yet in this case, this target is successfully exploitable and one level moving ahead.

56
00:04:30,100 --> 00:04:35,320
As we can see over here, this is another PEOC which has been uploaded and here you can see the same

57
00:04:35,320 --> 00:04:39,370
exact payload, but the command which has been executed is who am I?

58
00:04:39,460 --> 00:04:41,490
So let's try this as well.

59
00:04:41,500 --> 00:04:43,080
So let's copy it from here.

60
00:04:44,770 --> 00:04:46,720
Go to our Bob.

61
00:04:47,730 --> 00:04:54,210
And pasted over here that send a bad request, my bad.

62
00:04:55,880 --> 00:05:02,090
And hit send and you can see and be able to get the same response over here and the executed commanders,

63
00:05:02,090 --> 00:05:03,230
who am I?

64
00:05:03,950 --> 00:05:08,630
All right, so you we can confirm that we are getting a great response based on this.

65
00:05:08,630 --> 00:05:10,970
And this confirms that the target is one.

66
00:05:11,450 --> 00:05:17,660
Now, there are many templates that has been released into the wild for identification of the vulnerability,

67
00:05:17,960 --> 00:05:24,410
as well as many VAFA rules that has been also released to block many of the rules.

68
00:05:24,650 --> 00:05:33,770
So you can see one of the detection rules, if any of the target is if any one is trying to identify

69
00:05:34,160 --> 00:05:38,980
the vulnerability on your target server, you are going to get alerted by this election rules.

70
00:05:39,680 --> 00:05:46,880
Also, if you see the nuclear, then you can see over here what matters is the matched condition is

71
00:05:46,880 --> 00:05:49,570
and match type status 200.

72
00:05:49,580 --> 00:05:52,130
OK, what are these words?

73
00:05:52,130 --> 00:05:58,460
And they are basically doing a regex of profile sition idy properties and segment.

74
00:05:58,770 --> 00:06:03,320
Let's see this profile sessions, idee.

75
00:06:04,240 --> 00:06:12,430
Properties and segment, as you can see, its properties and segment, so this is basically it to conclude

76
00:06:12,430 --> 00:06:18,220
that the target is vulnerable because we are able to get this into our response successfully.

77
00:06:19,900 --> 00:06:27,600
Now, how to identify multiple targets for that, you can simply use search engines like Shodan sensors

78
00:06:27,610 --> 00:06:29,000
also you can use Google Docs.

79
00:06:29,000 --> 00:06:34,090
So I'm just going to show you how you can use sensors so you can just search for Apache.

80
00:06:34,090 --> 00:06:40,000
You know, me and you will be able to see multiple targets as can be seen over here.

81
00:06:40,210 --> 00:06:45,640
Now, you can just come to any of the targets or let's say I go to the first target, which is this

82
00:06:45,640 --> 00:06:45,870
one.

83
00:06:46,300 --> 00:06:50,410
Let's go to Google and let's wait for this to open.

84
00:06:56,240 --> 00:07:02,990
Yeah, so so you can see successfully it has opened over here and this is the default configuration

85
00:07:02,990 --> 00:07:04,630
bit of a party, you know me.

86
00:07:05,120 --> 00:07:11,150
And now you can try basically here you can see this as a Google doc as well.

87
00:07:11,150 --> 00:07:16,930
To identify multiple target, you have to modify your doc to get the right programs.

88
00:07:16,940 --> 00:07:17,350
All right.

89
00:07:17,570 --> 00:07:22,640
Now, I also written a script for you to identify multiple domains.

90
00:07:22,640 --> 00:07:28,610
If you have them, if you have some domain enumerated, a lot of domains for any bug bounty program,

91
00:07:28,610 --> 00:07:35,770
then you can directly put the list of subdomains to this bash script and it will automatically identify

92
00:07:35,780 --> 00:07:38,320
for you if the target is vulnerable or not.

93
00:07:38,320 --> 00:07:42,740
For that, you just need to put your targets into a file, as you can see over here.

94
00:07:42,830 --> 00:07:50,480
And then I'm going to supply this file to my script and let me just hit enter and you can see it has

95
00:07:50,480 --> 00:07:53,270
started identifying if the target is vulnerable or not.

96
00:07:53,510 --> 00:07:58,250
And you can see this IP one, which we have already seen into our pursuit.

97
00:07:58,460 --> 00:08:04,280
Apart from that, all the programs, as you can see, all the domains of subdomains are not Wonderwall.

98
00:08:04,520 --> 00:08:11,150
So this can be helpful to everyone to identify or must kill your bug hunting, because this is a new

99
00:08:11,150 --> 00:08:18,890
CV and you may end up identifying a vulnerable target subdomain program of any bug bounty program that

100
00:08:18,890 --> 00:08:23,300
can be even private because there are many other Redzepi programs that are Ben-Dror.

101
00:08:23,720 --> 00:08:29,420
And you may get lucky to find out one of the subdomains which is not yet patched and which is running

102
00:08:29,720 --> 00:08:32,040
under the outdated version of Apache.

103
00:08:33,140 --> 00:08:37,880
Now, remember, as this is a critical one, it is a remote code execution.

104
00:08:38,210 --> 00:08:40,760
It is a pretty remote code execution.

105
00:08:40,760 --> 00:08:46,820
So the chances are high that you may end up getting a very good boundy in case you identify a vulnerable

106
00:08:46,820 --> 00:08:47,270
target.

107
00:08:47,270 --> 00:08:48,830
Then please do comment below.

108
00:08:49,430 --> 00:08:53,630
I would be very happy that you get benefit out of this video.

109
00:08:56,080 --> 00:08:57,440
So this is it for this video.

110
00:08:57,700 --> 00:09:03,460
I hope you guys like that I'm going to add all the resources into the description section so you guys

111
00:09:03,460 --> 00:09:05,200
can use it without any issues.

112
00:09:05,920 --> 00:09:06,780
Stay safe.

113
00:09:06,850 --> 00:09:07,390
Thank you.