TL;DR
Recon → Interesting URL → java code → download to windows machine → Defender identified as jsp webshell
Hi Everyone,
This is an interesting finding I have found on a public vdp program. While me and a friend of mine Jaimin was doing recon on a public program, he found an interesting URL. He shared it with me and I was just poking it and found out that java code is disclosed.
I thought I have found some source code disclosure vulnerability and let’s see we can find something interesting out of this. So I tried to download it on my system. Fortunately I was on a windows machine (Mostly I work on linux system) and it turns out that downloaded file was a webshell.
- Fuzzing the URL leads to following page
https://subdomain.example.com/tmp/admin/mobile
2. Downloading on windows and defender detects it right away. Microsoft advisory for the same.
3. By searching on internet the same code snippet it turns out following web shell was uploaded.
Conclusion:
You can found weird stuff on internet. 😂
Thanks for reading! Have a nice day ahead.
~Nishith K( https://twitter.com/busk3r )
