Finding hidden gems vol. 3: quick win with .sh file

I observed that some application deployment’s automation is done by the use of shell scripts, mostly files with .sh extensions.

Based on the popular filenames found on GitHub (search for site:github.com ext:sh) I routinely check for such files during bug bounty hunting in my spare time.

Once it ended up quite unexpected.

I found a file, let’s say it was install.sh on one site which was WordPress based blog.

[--CUT--]
echo "Setting up blog"
echo "- Admin URL: ${local_url}/wp-admin"
echo "- Wp User: c[--EDITED--]"
echo "- Wp Pass: [--EDITED--]
[--CUT--]

What? WordPress admin credentials in plaintext?!

When I saw this, I said to myself “No way it works. Forget it”.

Still I opened the /wp-admin and entered login and password just to see the login error. I looked for a few seconds on the spinner waiting for this error to show up. To my surprise I was logged in instead. I immediately checked if I was an admin.

Yes I was. So, I filled the report. Few hours later I got the message below.

Thank you for this report, and given the severity, I have gone ahead and paid a full P1 bounty. We are working on resolving this now and should have it done soon.
Thank you for your participation in the program and we look forward to future reports!

Nice of them.

Lessons learned

  • For myself - build a list of common sh files
  • Bug hunters - search for common sh files during recon
  • Developers - make sure you do not have any shell scripts in web root, if you do definitely do not store admin password in those files

If you enjoyed this story go see two previous parts: