Glance Networks
www.glance.net
High
SQL Injection resulting in unprivileged data access or modification
Authentication or session management flaws leading to arbitrary account compromise.
Unprivileged data access / privilege escalation
Medium
Persistent or Stored XSS,
Cross-Site Request Forgery (CSRF) exposure on sensitive functions
Use of a third-party component/library with unknown vulnerability or known vulnerability older than 45 days of CVSS score 7.0 or higher.
Low
Reflected XSS
XSS from an authenticated customer admin
External Cross-Site Request Forgery (CSRF) exposure on non-sensitive or non-critical functions.
Cross-site History Manipulation (XSHM) resulting in Information Inference (other than Login or permission detection)
Other than intentionally configured iframe embedding
*.glance.net
Medium
Sub-domain takeover on *.glance.net domains and obtaining a certificate (HTTPS requests allowed)
Low
Sub-domain takeover on *.glance.net domains without ability to obtain a certificate (HTTPS not allowed)
Out of scope:
ww2.glance.net
help.glance.net
status.glance.net
glance.cx
Input no sanitizado → Posteriormente se atacará
Correos:
Encontré que el dominio de mas arriba es un Microsoft IIS HTTPd → entonces podemos hacer una enumeración o fuzzing un tanto personalizada con diccionario especifico pa’ ese.
Y esta sola nos devolvió un 403, que luego podemos verificar endpoints desde el content-discovery historical con waymore → o directamente desde waybackmachine, etc.
gems/bootstrap/CVE-2024-6484.yml → este lo podremos buscar y usar con NUCLEI.
Bendita sea la extensión Retire.js que me instale Jajs está super cool.
Los objetos hidden del dom convertidos a show → borro un input que tiene un base64 y aparece este valor en otro input →
A causa de que encontré estos hidden en el DOM
Haremos ahora feroxBuster pero con las credentials ya logueados a ver →
Username:
h1-tearofextinction.glance.net
Password
qDz8hNTqdgREKvgoav7C