Burrow experience | to see how I find the Yahoo remote code execution vulnerability and get the 5500 knife bonus-vulnerability warning-the black bar safety net


I always believe to share with people is a good trait, and I'm also from the vulnerability reward in the field of multi-bit security research experts learned a lot to make me last a lifetime things, so I decided in this article to share with you some of my recent little discovery, hope these things can help you Freebuf of friends early on their own vulnerability reward trip. ! [](/Article/UploadPic/2017-6/201767192643555. png? www. myhack58. com) Just a few months ago, a security research expert in Apache Struts2, found a serious security vulnerability, CVE-2017-5638, probably some of you have heard of this thing. This is a remote code execution vulnerability, then Internet in a large number of Web applications are affected by this vulnerability. About three weeks later, researchers released the Struts2 exploit code. In a dig before the Investigative process, I came across the following link: https://svdevems01.direct.gq1.yahoo.com/sm/login.jsp This is Yahoo the a login page. ! [](/Article/UploadPic/2017-6/201767192643648. png? www. myhack58. com) I have tried in this page find the vulnerability, but unfortunately I didn't find until I found the following nodes: https://svdevems01.direct.gq1.yahoo.com/sm/login/loginpagecontentgrabber.do Note: If you find a node address contains. action,. do or. go, then, this indicates that this Web application to run a Struts2 to. As I said before, for the Struts2 vulnerability exploit code has been released, and this vulnerability using the process is also very simple. Although I know here there is vulnerability, but ready-made exploit code here does not work, so I feel may be a Web application firewall in the mischief, or that some of the things shield my attack. Since I was able to determine where there is indeed a vulnerability, so I couldn't stop. But if you want to submit a valid vulnerability, I have to provide a viable PoC to prove this vulnerability is valuable. After a period of research, I found an article tweet this article tweet describes how to pass a Payload to bypass the WAF and be successfully exploited this vulnerability. I the use of detection methods require the use of Content-Type HTTP header to send a specially crafted data packet, the header data as shown below: Content-Type:%{#context[‘com. opensymphony. xwork2. dispatcher. HttpServletResponse’]. addHeader(‘X-Ack-Th3g3nt3lman-POC’,4*4)}. multipart/form-data This specially constructed request can not only make[the Web server](<http://www.myhack58.com/Article/sort099/sort0100/Article_100_1.htm>)to calculate the two multiplied by the number, and you can also request a[Web server](<http://www.myhack58.com/Article/sort099/sort0100/Article_100_1.htm>)for any other form of operation. In the above example, the request to calculate the value of 4 * 4, the server returns the result of 16, which means that this server is the presence of security vulnerabilities. As shown in the following figure, the response data will contain the new header, i.e. X-Ack-Th3g3nt3lman-POC: 16 ! [](/Article/UploadPic/2017-6/201767192643394. png? www. myhack58. com) These have enough I'm through HackerOne to Yahoo to submit a vulnerability report, Yahoo skilled in the art after receiving the report within 30 minutes of the vulnerabilities were classified, and then promptly will be the presence of vulnerabilities the application offline to fix this issue, a few days later I received a Yahoo to provide me with the 5500 knife vulnerability bonus. In fact, digging a hole is not difficult, as long as you are willing to spend time, willing to move the brain to think, I believe thousands of dollars of vulnerability bonuses to everyone or can be easily in the bag. Finally, I hope my these little can be found to everyone in the burrow in the process bring some inspiration.