How I access other domains in infinityfree.net using Directory Traversal

Kurt Russelle Marmol
2 min readMar 14, 2022

--

Hi, it’s me again haha Kurt Russelle Marmol aka xkurtph, Web Developer (noobie) and Security Researcher.

Vulnerability Method:

  • Directory / Path Traversal

What is infinityfree.net?

Infinity Free is a US-based web hosting provider launched in 2016, and, as its name suggests, it offers free hosting services for an indeterminate period of time.

Story:

This bug was I accidentally found haha when my friend want to access my files on the web hosting, so I gave them a PHP shell instead of the FTP account. I gave PHP shell because it is easy to use rather than FTP bcz u needed it to log in and access files (time-consuming).

Let’s say I have a domain name iamxkurtph.com I gave my friend a shell path which is iamxkurtph.ml/shell.php

When you try to open a folder or files, your URL path would become like this https://iamxkurtph.ml/shell.php?path=/home/vol11_6/epizy.com/epiz_30774583/htdocs/images

can you see the clue? how I access other domains hahaha

here it is

as you can see the epiz_30774583, it is my username in the domain therefore I change it incrementally like this epiz_30774584, epiz_30774585, or epiz_30774586 the whole URL will be like this https://iamxkurtph.ml/shell.php?path=/home/vol11_6/epizy.com/epiz_30774584

and gotcha! you already access other domain files by this method, but it will only work if the other domain has the same host/server as what you use.

The bug is originated from a third-party website but it is also used by infinityfree.net to serve, I already reported the bug from infinityfree.net but they told me to report to iFastNet because iFastNet was the main provider to host domain.

A bug was already reported and fixed, iFastNet is not offering a bug bounty program but they give me free .com domain as a reward :>

You can watch my full demonstration below.

Impact:

Using the bug as a method could be lead to breaching other domains and leaking files and sensitive information they have.

Timeline:

March 10, 2022 — Bug submitted and review

March 13, 2022 — Bug fixed and rewarded

Shawarawt sa PlagueSec at KumaTechDevs

--

--