First Bug in Bugcrowd Using Github Dork

Hi Hackers, Bug Hunters

I wish you a lot of bugs and rewards

It’s been a while since my last post on medium but I’m back, I want to tell you a short story about a private bug bounty program and why you can always check public Repos on GitHub, because you will be surprised.

The idea of this report you can get a security hole in a very short time while you are using Github dorks 😎🤑

GitHub Millions of developers and companies build, ship, and maintain their software on GitHub — the largest and most advanced development platform in the world.

Let’s start with how you can get sensitive information leak Sensitive information is as follows

{User names , Passwords , Emails , Token , Secret key , backup file , and More}

Dorks Helpful

GitHub Dorks for Finding Files:

“company name” filename:database

“company name” filename:secrets.yml

“company name” filename:passwd

“company name” filename:LocalSettings.php

“company name” filename:config.php

“company name” filename:config.inc.php

“company name” filename:configuration.php

“company name” filename:shadow

“company name” filename:.env

“company name” filename:wp-config.php

“company name” filename:credentials

“company name” filename:id_rsa

“company name” filename:id_dsa

“company name” filename:.sqlite

“company name” filename:secret_token.rb

“company name” filename:settings.py

“company name” filename:credentials.xml

GitHub Dorks for Finding API Keys, Tokens, and Passwords

“company name” api_key

“company name” client_secret

“company name” api_token:

“company name” client_id

“company name” shodan_api_key

“company name” password

“company name” user_password

“company name” client_secret

“company name” secret

“company name” user auth

GitHub Dorks for Finding information sensitive from programming language

“Company name” language:python

“Company name” language:bash

“company name” language:shell

“company name” language:bash

“company name” language:SQL

“company name” language:Shell

“company name” db_password

“company name” apikey

“company name” pwd

“company name” fb_secret

After opening Github and I take the domain name {example.com} and used this dork {“Company name” language:python}

I got a file the last update 5 days ago

I used Ctrl + F use (doamin_name)
To search the file because the file contains a lot of information
And the result was your there email and Password 😮😮😮

I Surprising , I tried to find a Login page for this Domain
and use Email and password 🤭🤭🤭

Surprisingly, I access to Console admin

look here friend

I hope you enjoyed reading and I will be pleased if you have any feedback!