How I was able to delete a production backend server in my first finding.
Hello folks, in this article I will tell you about my journey of finding a CSRF and using that to delete a backend php server in my first triaged finding
First, A bit back backstory
I found this bug back in December 2023. Wrote this blog but actually didn’t publish it back then, so just turning everything in past tense and publishing it now :)
Hi, I am Raduanul Rohan, a nerdy kid from Bangladesh. I was mostly a CTF player back then until December 2023, when I decided to start hunting out of nowhere. It was a tough decision for me because of the anxiety and perfectionism I had. “I need to learn everything before jumping”, “There are hackers out there better than me”, “I'm not capable enough”, but started it anyway
Caterpillar was a big scope program. Literally, everything they own was in scope. Started my recon watching Nahamsec’s live recon videos and collected well over 100 valid root domains. I was discovering new things and was learning and testing them.
Back then, I didn’t know how to fully automate everything nor I was capable of hunting manually. So I was just checking those domains one by one myself, looking for some weird web pages that I could target.
catwatches.com was a site for selling Caterpillar branded watches and stuff like that. while exploring, I came across a subdomain like something.catwatches.com . It felt pretty weird, just a blank page displaying its DNS name and mentioning something related to a server control panel.
So I was kinda sure that it might be some sort of admin portal or something. So I started fuzzing with some commonly used admin portal names. Ffuf hit a 200 response code, there was a phpMyAdmin login page behind the site
As I told you earlier, I was mostly a CTF player back then. In CTFs first thing we do is check the HTML and JS code looking for some clues or actual flags. With this CTFer instinct, I opened up the source code. The source code can be full of juicy stuff sometimes, which is rare nowadays but not back then. I was lucky, the PMA version was disclosed in the HTML source, It was running on phpMyAdmin 4.6.6
Sounds a bit old right? Yes, it was outdated and vulnerable to two CVEs
The first one was an RCE CVE-2016-5734, Which seemed like patched some way, when I sent the request containing the payload, it just kept timing out, and I got no response back from the server even after trying like 15 to 17 times. Then I started to shift my focus a bit, When I started testing for the second one, things started to get interesting..
CVE-2019–12922
CSRF in phpMyAdmin allows an attacker to trigger a CSRF attack against a phpMyAdmin user deleting any server in the Setup page.
The payload was quite a simple request to this endpoint:
So was the POC page:
<p>Deleting Server 1</p>
<img src="
http://server/phpmyadmin/setup/index.php?page=servers&mode=remove&id=1"
style="display:none;" />I fired up my proxy and visited the POC page. Yes, the response indicates that the exploit was executed perfectly.
But why a 401? It was an expected behavior. As I wasn’t logged in as an admin, I got a 401. There is no way I could have managed any admin cookie for proper testing, I left the rest of the testing in the triager’s hand.
He asked for more info, I provided, The report went under program review and finally was triaged as a medium (6.5) by a Caterpillar staff and they sent my report to the app owner for remediation. Seems everything fine right? No, they updated my report as informative stating:
Closing report as informative as Caterpillar does not own this domain. Finding forwarded to dealer/licensee
I mean what the heck? You sent the report to the app owner and after fixing telling me it was not owned by you, is it a joke or something? I tried to argue back, but didn’t work
So here am I today. Gone through some ups and downs but wasn’t able to keep the consistency for a whole 1 year. It was my first ever accepted bug at the same time it was not. But I still remember the joy I had seeing the triaging notification in my mailbox..
Until the next one..
