Hacking on a Private Program (Salseforce crm)
I was hunting on a private program of HackerOne so lets call it developer.target.com
i found a register option so i registered there after some recon i found that its a salseforce crm
while logging i encountered that it was logging through okta.
and my first attempt was logging okta to get some juicy stuff. cz account created on okta.
so i hit this target.okta.com
than i logged in and encountered an error
which was
after watching that i changed my date and time but still getting same error.
after a lot of research i found that the issue can be resolved from okta console only.
so i lost hope from okta.
then i came back to developer.target.com
logged in found nothing juicy
except this https://developer.target.com/developer/s/settings/{profileID}
then after wasting some time i changed this directory settings
to profile
like this https://developer.target.com/developer/s/profile/{profileID}
and boom i have found more options including file uploading feature.
so i tried to upload php,jsp,asp files but getting no preview except jpg,png and other ext for image.
and more recon i found this endpoint https://developer.target.com/developer/s/sfsites/c/sfc/servlet.shepherd/doucument/download/{fileID}
after watching this i knew it what i have to do, i uploaded a csv file including csv injection payload and copied the fileID
and put that here https://developer.target.com/developer/s/sfsites/c/sfc/servlet.shepherd/document/download/001fdkd193
then i opened this link from another browser did not work, i again opened that link as an authenticated user,means ACCOUNT on devloper.target.com
and boom file was downloaded, once other devs open the csv
file OS command gets executed on their machine.
payload in csv file: =10+20+cmd|' /C calc'!A0
the system should filter these =,+,-,@
in start of every cell
and i was awarded a $300 bounty for that.
follow me: https://twitter.com/0xmaruf