■ ■ ■ ■ ■ ■
CyberSecurity/Web/BountyStory/RemoteCodeExecution/20230314 - $10.000 bounty for exposed .git to RCE.md
| skipped 7 lines |
| 8 | 8 | | nuclei -l aqua_$1/aquatone_urls.txt -t ~/nuclei-templates -es info -o nuclei_$1.txt |
| 9 | 9 | | ``` |
| 10 | 10 | | Fortunately, the output of nuclei showed me the exposed .git/ directories:<br> |
| 11 | | - | <br> |
| | 11 | + | <br> |
| 12 | 12 | | Using the git-dumper tool to download the source: |
| 13 | 13 | | ``` |
| 14 | 14 | | git-dumper http://example.com/.git/ output |
| skipped 7 lines |
| 22 | 22 | | |
| 23 | 23 | | ### 3. Preparing Exploit |
| 24 | 24 | | To craft the request, I also had to take into account a simple validation that required hardcoded secret keys<br> |
| 25 | | - |  |
| | 25 | + |  |
| 26 | 26 | | <br> |
| 27 | 27 | | |
| 28 | 28 | | ### 4. Final Result |
| 29 | 29 | | And the final result: |
| 30 | 30 | | `http://example.com/ftp-upload/sync.php?deluser=INJECTION&secret1=[secret1]&secret2=[sha1 encoded secret2]` |
| 31 | | - |  |
| | 31 | + |  |
| 32 | 32 | | <br> |
| 33 | 33 | | |
| 34 | 34 | | ## Credit |
| skipped 7 lines |
Hossein NafisiAsl
committed
with
GitHub
1 year ago
1 parent 45a0727b