First Bug in Bugcrowd Using Github Dork
Hi Hackers, Bug Hunters
I wish you a lot of bugs and rewards
It’s been a while since my last post on medium but I’m back, I want to tell you a short story about a private bug bounty program and why you can always check public Repos on GitHub, because you will be surprised.
The idea of this report you can get a security hole in a very short time while you are using Github dorks 😎🤑
GitHub Millions of developers and companies build, ship, and maintain their software on GitHub — the largest and most advanced development platform in the world.
Let’s start with how you can get sensitive information leak Sensitive information is as follows
{User names , Passwords , Emails , Token , Secret key , backup file , and More}
Dorks Helpful
GitHub Dorks for Finding Files:
“company name” filename:database
“company name” filename:secrets.yml
“company name” filename:passwd
“company name” filename:LocalSettings.php
“company name” filename:config.php
“company name” filename:config.inc.php
“company name” filename:configuration.php
“company name” filename:shadow
“company name” filename:.env
“company name” filename:wp-config.php
“company name” filename:credentials
“company name” filename:id_rsa
“company name” filename:id_dsa
“company name” filename:.sqlite
“company name” filename:secret_token.rb
“company name” filename:settings.py
“company name” filename:credentials.xml
GitHub Dorks for Finding API Keys, Tokens, and Passwords
“company name” api_key
“company name” client_secret
“company name” api_token:
“company name” client_id
“company name” shodan_api_key
“company name” password
“company name” user_password
“company name” client_secret
“company name” secret
“company name” user auth
GitHub Dorks for Finding information sensitive from programming language
“Company name” language:python
“Company name” language:bash
“company name” language:shell
“company name” language:bash
“company name” language:SQL
“company name” language:Shell
“company name” db_password
“company name” apikey
“company name” pwd
“company name” fb_secret
After opening Github and I take the domain name {example.com} and used this dork {“Company name” language:python}
I got a file the last update 5 days ago
I used Ctrl + F use (doamin_name)
To search the file because the file contains a lot of information
And the result was your there email and Password 😮😮😮
I Surprising , I tried to find a Login page for this Domain
and use Email and password 🤭🤭🤭
Surprisingly, I access to Console admin
look here friend
I hope you enjoyed reading and I will be pleased if you have any feedback!