Member-only story
Unauthorised access to Django Admin Dashboard by endpoint leaked on GitHub
Hi, everyone
My name is Santosh Kumar Sha, I’m a security researcher from India(Assam). In this article, I will be describing how I was able to Unauthorized access to Admin Dashboard by endpoint leaked by GitHub.
I am now offering 1:1 sessions to share my knowledge and expertise:
TOOLS used for the exploitation
1. Subfinder (https://github.com/projectdiscovery/subfinder)
2. httpx (https://github.com/projectdiscovery/httpx)
3. gau(Corben) — https://github.com/lc/gau
4. waybackurls(tomnomnom) — https://github.com/tomnomnom/waybackurls
5. Aquatone
Story Behind the bug:
This is the write of my Recent bug that i found . While I was doing recon for gathering all domain from internet archives using waybackurls and gau and also by using subfinder. So, i collected all the subdomain from passive and active recon. And started resolving all the domain after resolving i run the aquatone to screenshot all the url. while taking the scrrenshot I came across an screenshot where it say “Django not found” error in one the url
Here it goes:
Suppose we assume the target name is example.com where every thing is in-scope like this:
In-scope : *.example.com
To gather all the subdomain from internet archives i have used subfinder , waybackurls tool and gau.
Command used:
subfinder -d example.com silent
gau -subs example.com
waybackurls example.com
So the chance of missing the subdomain still exist so in-order to be ahead of the game I don’t want to miss any subdomain for testing so I used subfinder and pipe to waybackurls to get all the domain for all the subdomain if exist and save it to a file.
So the final command will look like this:
gau -subs example.com | unfurl domains>> vul1.txt
waybackurls example.com | unfurl domains >> vul2.txt
subfinder -d example.com -silent >> vul3.txt
