■ ■ ■ ■ ■ ■
CyberSecurity/Web/BountyStory/RemoteCodeExecution/20230314 - $10.000 bounty for exposed .git to RCE.md
| skipped 7 lines |
8 | 8 | | nuclei -l aqua_$1/aquatone_urls.txt -t ~/nuclei-templates -es info -o nuclei_$1.txt |
9 | 9 | | ``` |
10 | 10 | | Fortunately, the output of nuclei showed me the exposed .git/ directories:<br> |
11 | | - | ![20230314-1.png](../../images/20230314-1.png)<br> |
| 11 | + | ![20230314-1.png](../images/20230314-1.png)<br> |
12 | 12 | | Using the git-dumper tool to download the source: |
13 | 13 | | ``` |
14 | 14 | | git-dumper http://example.com/.git/ output |
| skipped 7 lines |
22 | 22 | | |
23 | 23 | | ### 3. Preparing Exploit |
24 | 24 | | To craft the request, I also had to take into account a simple validation that required hardcoded secret keys<br> |
25 | | - | ![20230314-2.png](../../images/20230314-2.png) |
| 25 | + | ![20230314-2.png](../images/20230314-2.png) |
26 | 26 | | <br> |
27 | 27 | | |
28 | 28 | | ### 4. Final Result |
29 | 29 | | And the final result: |
30 | 30 | | `http://example.com/ftp-upload/sync.php?deluser=INJECTION&secret1=[secret1]&secret2=[sha1 encoded secret2]` |
31 | | - | ![20230314-3.png](../../images/20230314-3.png) |
| 31 | + | ![20230314-3.png](../images/20230314-3.png) |
32 | 32 | | <br> |
33 | 33 | | |
34 | 34 | | ## Credit |
| skipped 7 lines |