Unauthorized access to Django Admin Dashboard by endpoint leaked on GitHub
My name is Santosh Kumar Sha, I’m a security researcher from India(Assam). In this article, I will be describing how I was able to Unauthorized access to Admin Dashboard by endpoint leaked by GitHub.
TOOLS used for the exploitation
1. Subfinder (https://github.com/projectdiscovery/subfinder)
2. httpx (https://github.com/projectdiscovery/httpx)
3. gau(Corben) — https://github.com/lc/gau
4. waybackurls(tomnomnom) — https://github.com/tomnomnom/waybackurls
Story Behind the bug:
This is the write of my Recent bug that i found . While I was doing recon for gathering all domain from internet archives using waybackurls and gau and also by using subfinder. So, i collected all the subdomain from passive and active recon. And started resolving all the domain after resolving i run the aquatone to screenshot all the url. while taking the scrrenshot I came across an screenshot where it say “Django not found” error in one the url
Here it goes:
Suppose we assume the target name is example.com where every thing is in-scope like this:
In-scope : *.example.com
To gather all the subdomain from internet archives i have used subfinder , waybackurls tool and gau.
subfinder -d example.com silent
gau -subs example.com
So the chance of missing the subdomain still exist so in-order to be ahead of the game I don’t want to miss any subdomain for testing so I used subfinder and pipe to waybackurls to get all the domain for all the subdomain if exist and save it to a file.
So the final command will look like this:
gau -subs example.com | unfurl domains>> vul1.txt
waybackurls example.com | unfurl domains >> vul2.txt
subfinder -d example.com -silent >> vul3.txt
Now, we have collected all the subdomain ,so its times to resolve all the subdomain to filter out the dead subdomain from the list and then i pipe it aquatone to take the screenshot of the domain/urls. As aquatone take both url and domain as input . Here the command used for it
cat vul1.txt vuln2.txt vul3.txt | httpx -silent | aquatone -ports 80,443,8080,8433,8090,8009
So after the screenshot was done and will I was going through the screenshot I found a screenshot of a url which say “Django not found “ error which caught by attention as I have never seen any error like this .So,I decided to go dig check for this url the source and js for any information leak but no success as it was an deadened. I also tried to brute directory but no success here also.so, the url was like this
Now i decided to do some GitHub recon for the target url “testdev.admin.example.com” to find some secret from the GitHub to access to the Django server.
NOW the actual Github recon start:
Now as GitHub has a huge resource of data and doing GitHub recon is an time consume task to filter out the information the target. So I decided to target the user of the organization as the user of an organization the weakest link and the tendency of leaking secret by user it more. But the organization was huge and also have more than 200 user so search for each user it a time consume time and to filter out the information is huge. SO the syntax i used was like this below
“testdev.admin.example.com” user:<username> <keytosearch>
So I used some simple dorks like below but not leaked were found
“testdev.admin.example.com” user:<username> auth_token
“testdev.admin.example.com” user:<username> apikey
“testdev.admin.example.com” user:<username> secret
So i decided to search for django and with the organization namealong with Django as keywords. The github dork was like below:
“testdev.admin.example.com” org:<name of organisation> “Django”
I got the see the Django keyword in my github result now i tried to get the password and authanf key for that django server. So this user below dork:
“testdev.admin.example.com” org:<name of organisation> “Django” api_key
“testdev.admin.example.com” org:<name of organisation> “Django” auth_token
“testdev.admin.example.com” org:<name of organisation> “Django_admin”
But no sucesss here also .This time i was not in mood of letting it go so the decided to search for path or endpoint for the Django server . so used the below final dork to get the endoint:
“example.com” org:<name of organisation> “Django” /admin/dashboard
And I got an endpoint that look like this “/django/next/admin/dashboard”
Now I was the endpoint to the url as below
And I was successfully logged into Django admin dashboard
I quickly reported the bug and in the next day the report was triage to critical
After seeing this my reaction …
I’m sure that a lot of security researcher had already see there process but this how I approach When i see an error that I have no idea that to do. So alway check that error you get and always check fot that error oin github or for the endpoint if you dont’t get any information after file/directory bruteforcing.
That’s one of the reasons why I wanted to share my experience. also to highlight other techniques to exploit such vulnerability.