How I access other domains in infinityfree.net using Directory Traversal
Hi, it’s me again haha Kurt Russelle Marmol aka xkurtph, Web Developer (noobie) and Security Researcher.
Vulnerability Method:
- Directory / Path Traversal
What is infinityfree.net?
Infinity Free is a US-based web hosting provider launched in 2016, and, as its name suggests, it offers free hosting services for an indeterminate period of time.
Story:
This bug was I accidentally found haha when my friend want to access my files on the web hosting, so I gave them a PHP shell instead of the FTP account. I gave PHP shell because it is easy to use rather than FTP bcz u needed it to log in and access files (time-consuming).
Let’s say I have a domain name iamxkurtph.com I gave my friend a shell path which is iamxkurtph.ml/shell.php
When you try to open a folder or files, your URL path would become like this https://iamxkurtph.ml/shell.php?path=/home/vol11_6/epizy.com/epiz_30774583/htdocs/images
can you see the clue? how I access other domains hahaha
here it is
as you can see the epiz_30774583, it is my username in the domain therefore I change it incrementally like this epiz_30774584, epiz_30774585, or epiz_30774586 the whole URL will be like this https://iamxkurtph.ml/shell.php?path=/home/vol11_6/epizy.com/epiz_30774584
and gotcha! you already access other domain files by this method, but it will only work if the other domain has the same host/server as what you use.
The bug is originated from a third-party website but it is also used by infinityfree.net to serve, I already reported the bug from infinityfree.net but they told me to report to iFastNet because iFastNet was the main provider to host domain.
A bug was already reported and fixed, iFastNet is not offering a bug bounty program but they give me free .com domain as a reward :>
You can watch my full demonstration below.
Impact:
Using the bug as a method could be lead to breaching other domains and leaking files and sensitive information they have.
Timeline:
March 10, 2022 — Bug submitted and review
March 13, 2022 — Bug fixed and rewarded
Shawarawt sa PlagueSec at KumaTechDevs