You know what’s more complex than X-Men timeline? This write up series. The previous article that I wrote about hacking Fotor happened at last, events discussed in this article happened after I pwned Pixlr which I will be going to post at last as a grand finale.
So I opened Photopea and clicked on the import from URL option, started monitoring the requests and entered URL of an image
I found out that the following endpoint is being used to load the image:
So the first thing I did was to check if it can load any other stuff then images.
I entered https://teamultimate.in in the
url parameter and it got loaded.
Rule #69 If the web app includes and evaluates some arbitrary external resource provided by the user its RFI, otherwise its not.
So just for the sake of a quick test, I tried including
http://somdev.me/rfi.txt but it didn’t get evaluated i.e. web app treated it like a text file.
Alright, what’s next? SSRF!
I tried to read the local files, cloud metadata and stuff but none of them worked. The only thing I had in hand was the ability to load pages being served over HTTP(S).
So I tried including my xss.html and it worked!
That’s all for now. Keep Learning! Keep Hacking!
Also Read: Salting And Salted Hashes Explained