In the case of heremit, we had a web application that by changing from POST and GET request we were able to deduce that there was a parameter named 'code' in which we could send malicious code.
Letβs us try to send a POST request against the directory /verify and the body request is filled with the code parameter.
After the request was sent, we can further inspect response.
Here is the response:
HTTP/1.0 500 INTERNAL SERVER ERROR
Content-Type: text/html; charset=utf-8
Content-Length: 290
Server: Werkzeug/1.0.1 Python/3.6.8
Date: Fri, 20 Aug 2021 05:01:07 GMT
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<title>500 Internal Server Error</title>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error and was unable to complete your request. Either the server is overloaded or there is an error in the application.</p>
The response code 500 INTERNAL SERVER ERROR indicates that something is wrong at the backend. At this point, we fully comprehend that the server does not sanitize our input properly, which ends up our entry breaking something up at the other end.
So werksbeurg whatever is a python based application so if we instead in the code parameter we could possibly try to inject python code and receive a reverse shell like so:
