censys - 443.https.get.body: "URLconf defined"
shodan - html:"URLconf defined" 404
I open the main domains one by one and I noticed one domain redirect to microsoft’s acquisition domain, I was surprised. Then I open that Django ip address the response look like as follows
As a Django developer I know 500 Internal server error return sensitive information but how to make it 500 status code response. I tried many ways but failed to make 500 response code. searching lot in google but i was not able to do it until an idea arises on my mind, Yes HTTP verb tempering I just change GET to POST method using burp suite I send the request to /admin path and I got 500 response.
Then reading traceback error message for sensitive information i got bunch of information, many secret information hidden by Django like ********* but some credentials like Mongodb URI,redis URI,azure storage queue URI are not hidden.
I tried to connect to Mongo db. yes I got connected to Mongo db database but nothing sensitive in that db these are development dummy data. Then go for Redis, tried to connect bingo! I got connected to redis cache, previously I read many articles related to redis RCE, If you got access to redis server you can perfom RCE by writing crontab files to get revers connection.
Just reported to MSRC. Issue is fixed now.
I wrote a book about automation for bug bounty with python — you can found more such things and I explain how to automate such things in that book. Now available in amazon kindle.
Bug Bounty Automation With Python: The secrets of bug hunting
Bug Bounty Automation With Python: The secrets of bug hunting - Kindle edition by Abuthahir, Syed . Download it once…
Thanks for reading and supporting