#BugBounty — How I Found a Webshell on a VDP Program

TL;DR

Recon → Interesting URL → java code → download to windows machine → Defender identified as jsp webshell

Hi Everyone,

This is an interesting finding I have found on a public vdp program. While me and a friend of mine Jaimin was doing recon on a public program, he found an interesting URL. He shared it with me and I was just poking it and found out that java code is disclosed.

I thought I have found some source code disclosure vulnerability and let’s see we can find something interesting out of this. So I tried to download it on my system. Fortunately I was on a windows machine (Mostly I work on linux system) and it turns out that downloaded file was a webshell.

  1. Fuzzing the URL leads to following page

https://subdomain.example.com/tmp/admin/mobile

2. Downloading on windows and defender detects it right away. Microsoft advisory for the same.

https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=HackTool:JS/Jsprat

3. By searching on internet the same code snippet it turns out following web shell was uploaded.

Conclusion:

You can found weird stuff on internet. 😂

Thanks for reading! Have a nice day ahead.

~Nishith K( https://twitter.com/busk3r )

Security Enthusiast | Keen Learner | Breaking stuff to learn | Occasional bounty hunter | Twitter: @busk3r

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store