crash.software
Projects
Pull Requests
Issues
Builds
NafisiAslH-KnowledgeSharing
Code
Files
Commits
Branches
Tags
Pull Requests
Code Comments
Code Compare
Issues
Builds
Statistics
Child Projects
cra.sh
RESTful API
Projects STRLCPY NafisiAslH-KnowledgeSharing Commits c9277ec5
🤬
  • ■ ■ ■ ■ ■ ■
    CyberSecurity/Web/BountyStory/RemoteCodeExecution/20230314 - $10.000 bounty for exposed .git to RCE.md
     1 +# $10.000 bounty for exposed .git to RCE
     2 + 
     3 +### 1. Recon
     4 +Using chain of tools:
     5 +```
     6 +amass enum -active -d $1 -brute -w ~/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -o amass.txt
     7 +cat amass.txt | aquatone -ports xlarge -out aqua_$1
     8 +nuclei -l aqua_$1/aquatone_urls.txt -t ~/nuclei-templates -es info -o nuclei_$1.txt
     9 +```
     10 +Fortunately, the output of nuclei showed me the exposed .git/ directories:<br>
     11 +![20230314-1.png](../../images/20230314-1.png)<br>
     12 +Using the git-dumper tool to download the source:
     13 +```
     14 +git-dumper http://example.com/.git/ output
     15 +```
     16 +<br>&nbsp;
     17 + 
     18 +### 2. Did not Rush
     19 +I thought this was a great opportunity to look for serious issues in the code and did not rush to report exposed .git<br>
     20 +And so it turned out that in the code they used a call to local bash scripts to save and delete ftp users via the shell_exec() function, which took an unfiltered userinput, which led to the RCE vulnerability<br>
     21 +<br>&nbsp;
     22 + 
     23 +### 3. Preparing Exploit
     24 +To craft the request, I also had to take into account a simple validation that required hardcoded secret keys<br>
     25 +![20230314-2.png](../../images/20230314-2.png)
     26 +<br>&nbsp;
     27 + 
     28 +### 4. Final Result
     29 +And the final result:
     30 +`http://example.com/ftp-upload/sync.php?deluser=INJECTION&secret1=[secret1]&secret2=[sha1 encoded secret2]`
     31 +![20230314-3.png](../../images/20230314-3.png)
     32 +<br>&nbsp;
     33 + 
     34 +## Credit
     35 +Based on [Lev Shmelev](https://medium.com/@levshmelevv/10-000-bounty-for-exposed-git-to-rce-304c7e1f54)'s writeup.
     36 +<br>&nbsp;
     37 + 
     38 +## Support
     39 +You can Follow [me](https://twitter.com/MeAsHacker_HNA) on twitter or
     40 +<br><br><a href="https://www.buymeacoffee.com/NafisiAslH" target="_blank"><img src="https://cdn.buymeacoffee.com/buttons/v2/default-yellow.png" alt="Buy Me A Coffee" style="height: 60px !important;width: 217px !important;" ></a>
     41 + 
Please wait...
Page is in error, reload to recover