Hacking Sony Database


HACKING SONY DATABASE 

This was a bug that I found back in early 2018.This started when a friend of mine (a.k.a 1337) showed me a T-Shirt that he got from Sony . So I thought why can’t I get one so I started doing Recon on the target Sony had a wide range of domains and Sub-domains. I spend 2 days looking for a bug on Sony's main domain and I got nothing
So went for the next thing Acquisitions Same result. So I thought I should do something else so started Dorking
site:*.sony.*
And I landed in sony.co.kr and found a sub-domain bpeng.sony.co.kr due to the difficulty in understanding Korean Language I didn’t knew any of the options in the page.
Then something interesting happened https://bpeng.sony.co.kr/handler/BPEtc-PageView?pagename=some page blah blah
so I changed the value of pagename to something else and boom it redirected to that page so lets try etc/passwd and nothing happened..
But Why..?
Because the server is Microsoft IIS you dummy
So as per my experience I never had a chance to Exploit an IIS server so lets search for resources and found that the site uses jsp and has something called a WEB-INF that contains the configuration
and PayLoadAllThings gave me the perfect payload
jsp/etc/../../WEB-INF/web.xml
and i got this as in response
DB Configuration Files
Reported It to Sony and Listed my name in their HOF and a they gave me a T-shirt.

Stay Creative and Happy HACKING.