Django debug mode to RCE in Microsoft acquisition

As usual I was doing recon using Censys (https://censys.io/) and Shodan (https://www.shodan.io/). I was looking for Django debug mode enabled domains using the following search query.

censys -  443.https.get.body: "URLconf defined"
shodan - html:"URLconf defined" 404

I open the main domains one by one and I noticed one domain redirect to microsoft’s acquisition domain, I was surprised. Then I open that Django ip address the response look like as follows

Django Debug mode enabled.

As a Django developer I know 500 Internal server error return sensitive information but how to make it 500 status code response. I tried many ways but failed to make 500 response code. searching lot in google but i was not able to do it until an idea arises on my mind, Yes HTTP verb tempering I just change GET to POST method using burp suite I send the request to /admin path and I got 500 response.

my reaction

Photo by Ben White on Unsplash

Then reading traceback error message for sensitive information i got bunch of information, many secret information hidden by Django like ********* but some credentials like Mongodb URI,redis URI,azure storage queue URI are not hidden.

Redis URI and Aure queue storage URI

I tried to connect to Mongo db. yes I got connected to Mongo db database but nothing sensitive in that db these are development dummy data. Then go for Redis, tried to connect bingo! I got connected to redis cache, previously I read many articles related to redis RCE, If you got access to redis server you can perfom RCE by writing crontab files to get revers connection.

Reference — https://medium.com/@knownsec404team/rce-exploits-of-redis-based-on-master-slave-replication-ef7a664ce1d0

Just reported to MSRC. Issue is fixed now.

I wrote a book about automation for bug bounty with python — you can found more such things and I explain how to automate such things in that book. Now available in amazon kindle.

Thanks for reading and supporting

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store