Django debug mode to RCE in Microsoft acquisition

4 years ago 425
BOOK THIS SPACE FOR AD
ARTICLE AD

Image for post

Image for post

Django Debug mode enabled.

As a Django developer I know 500 Internal server error return sensitive information but how to make it 500 status code response. I tried many ways but failed to make 500 response code. searching lot in google but i was not able to do it until an idea arises on my mind, Yes HTTP verb tempering I just change GET to POST method using burp suite I send the request to /admin path and I got 500 response.

my reaction

Image for post

Image for post

Photo by Ben White on Unsplash

Then reading traceback error message for sensitive information i got bunch of information, many secret information hidden by Django like ********* but some credentials like Mongodb URI,redis URI,azure storage queue URI are not hidden.

Image for post

Image for post

Redis URI and Aure queue storage URI

I tried to connect to Mongo db. yes I got connected to Mongo db database but nothing sensitive in that db these are development dummy data. Then go for Redis, tried to connect bingo! I got connected to redis cache, previously I read many articles related to redis RCE, If you got access to redis server you can perfom RCE by writing crontab files to get revers connection.

Reference — https://medium.com/@knownsec404team/rce-exploits-of-redis-based-on-master-slave-replication-ef7a664ce1d0

Just reported to MSRC. Issue is fixed now.

I wrote a book about automation for bug bounty with python — you can found more such things and I explain how to automate such things in that book. Now available in amazon kindle.

Thanks for reading and supporting

Read Entire Article