Recon
On wide-scope programs the first move is mapping the company's ASNs and CIDRs, which gives you the IPs to enumerate, fingerprint, and find origin servers behind a CDN. bgpview.io lists the company's ASNs by name; from there, this pipeline turns an ASN into live services:
whois -h whois.radb.net -- '-i origin AS123' | grep -Eo "([0-9.]+){4}/[0-9]+" | uniq | mapcidr -silent | httpx
whois dumps owner info, grep extracts CIDRs,
mapcidr expands them
to IPs, and httpx probes for live services. A faster but less
complete alternative is the Shodan ASN query:
asn:AS123Note — Shodan ASN search requires a paid account. Shodan turned up ~200 IPs; one looked like an admin panel — that's where I started.
Vulnerability Discovery
Wappalyzer flagged PHP. SQLi on the login form went nowhere, so I switched to
directory fuzzing with ffuf and got a
401 on /Config/. In the browser, admin:admin simply
worked.
Default creds on a panel like that suggested the rest of the surface was
sloppy too. Among the side directories (js, css,
images, data) a .rar file in
images caught my eye:
Inside was a Chinese-language .doc with admin instructions for swapping the site logo:
Hitting changelogo.php in the browser silently 30x'd to
index.php. In Burp the actual response told a different story:
A file-upload form. I tested with a GIF first, which worked:
A web shell upload didn't make it through — only .png and
.gif were accepted. Last resort: try injection in the
filename field itself. SQLi/SSTI/eval payloads bounced; a
shell-injection payload landed:
filename="test || sleep 30 ||.gif"
Sweeping the same admin-panel fingerprint across the IP range I'd built earlier surfaced a second instance with the identical bug.
Report
I reported all of them at once. Within hours, every report was triaged.
Thanks for reading. Twitter: @omidxrz.