Unauthorized access to Django Admin Dashboard by endpoint leaked on GitHub

Hi, everyone

My name is Santosh Kumar Sha, I’m a security researcher from India(Assam). In this article, I will be describing how I was able to Unauthorized access to Admin Dashboard by endpoint leaked by GitHub.

TOOLS used for the exploitation

1. Subfinder (https://github.com/projectdiscovery/subfinder)

2. httpx (https://github.com/projectdiscovery/httpx)

3. gau(Corben) — https://github.com/lc/gau

4. waybackurls(tomnomnom) — https://github.com/tomnomnom/waybackurls

5. Aquatone

Story Behind the bug:

Here it goes:

In-scope : *.example.com

To gather all the subdomain from internet archives i have used subfinder , waybackurls tool and gau.

Command used:

gau -subs example.com

waybackurls example.com

So the chance of missing the subdomain still exist so in-order to be ahead of the game I don’t want to miss any subdomain for testing so I used subfinder and pipe to waybackurls to get all the domain for all the subdomain if exist and save it to a file.

So the final command will look like this:

waybackurls example.com | unfurl domains >> vul2.txt

subfinder -d example.com -silent >> vul3.txt

Now, we have collected all the subdomain ,so its times to resolve all the subdomain to filter out the dead subdomain from the list and then i pipe it aquatone to take the screenshot of the domain/urls. As aquatone take both url and domain as input . Here the command used for it

cat vul1.txt vuln2.txt vul3.txt | httpx -silent | aquatone -ports 80,443,8080,8433,8090,8009

So after the screenshot was done and will I was going through the screenshot I found a screenshot of a url which say “Django not found “ error which caught by attention as I have never seen any error like this .So,I decided to go dig check for this url the source and js for any information leak but no success as it was an deadened. I also tried to brute directory but no success here also.so, the url was like this

https://testdev.admin.example.com:8080/

Now i decided to do some GitHub recon for the target url “testdev.admin.example.com” to find some secret from the GitHub to access to the Django server.

NOW the actual Github recon start:

“testdev.admin.example.com” user:<username> <keytosearch>

So I used some simple dorks like below but not leaked were found

“testdev.admin.example.com” user:<username> auth_token

“testdev.admin.example.com” user:<username> apikey

“testdev.admin.example.com” user:<username> secret

So i decided to search for django and with the organization namealong with Django as keywords. The github dork was like below:

“testdev.admin.example.com” org:<name of organisation> “Django”

I got the see the Django keyword in my github result now i tried to get the password and authanf key for that django server. So this user below dork:

“testdev.admin.example.com” org:<name of organisation> “Django” api_key

“testdev.admin.example.com” org:<name of organisation> “Django” auth_token

“testdev.admin.example.com” org:<name of organisation> “Django_admin”

But no sucesss here also .This time i was not in mood of letting it go so the decided to search for path or endpoint for the Django server . so used the below final dork to get the endoint:

“example.com” org:<name of organisation> “Django” /admin/dashboard

And I got an endpoint that look like this “/django/next/admin/dashboard”

Now I was the endpoint to the url as below

https://testdev.admin.example.com:8080/django/next/admin/dashboard”

And I was successfully logged into Django admin dashboard

I quickly reported the bug and in the next day the report was triage to critical

After seeing this my reaction …

Takeaway

I’m sure that a lot of security researcher had already see there process but this how I approach When i see an error that I have no idea that to do. So alway check that error you get and always check fot that error oin github or for the endpoint if you dont’t get any information after file/directory bruteforcing.

That’s one of the reasons why I wanted to share my experience. also to highlight other techniques to exploit such vulnerability.

Support me if you like my work! Buy me a coffee and Follow me on Twitter.

Like to hack and break security code and denfense |Security Researcher |pentester | Bugbounty hunter | Pentration tester | CTF player | BUGBOUNTY

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store