How I was able to get 1000$ bounty from a ds-store file?

我是如何从 ds 商店的文件中得到1000美元的赏金的?

Photo by 图片由Florian Olivo 弗洛里安 · 奥利沃 on 打开Unsplash

Go!

Hello, gents and ladies :), In this blog, we will talk about one bug I was found before and to know I did not get this bug in just 5 minutes to know It needs experience with some patience to get some bug that was I mean, you need to learn more to be able to get a lot of bugs it’s not a superpower but it’s called a continuity pursuit.

大家好,先生们,女士们:)在这个博客里,我们将谈论一个我以前发现的 bug,并且知道我没有在5分钟内得到这个 bug,这需要一些耐心来得到一些 bug,我的意思是,你需要学习更多来得到更多的 bug,这不是一个超能力,但这叫做连续性追求。

The Starter?

启动器?

I will teach you how to get bounty from ds-store-file in 5 minutes [I Just kidding]. Let’s start with the starter pack. In the first, I was just collect some information about the subdomains and the ASNs numbers and check the Public CVEs with some tools I will mention below. When I was collecting the information I found the /.DS_Store I available I knew there is a tool easiest to dump this file with the terminal I will mention there in the exploit section, I think to here we were talking about noting important let’s go to the exploit section.

我将在5分钟内教你如何从 ds 存储文件中获得奖金[我只是开玩笑]。让我们从启动包开始。首先,我只是收集了一些关于子域名和 sns 号码的信息,然后用下面我将要提到的一些工具检查 Public CVEs。当我收集资料时,我发现了。我知道有一个工具最容易把这个文件转储到终端,我会在利用部分提到,我想我们在这里谈论的重要性,让我们去利用部分。

Tools used in the Exploit

利用中使用的工具

1 — 1ーSubfinder

2 — 2ーHttpx 4. http//px

3 — 3ーNuclei 原子核

4 — 4ーds_store_exp 商店,实验室

Shout out to @projectdiscovery

大声呼叫@projectdiscovery

Exploit

剥削

Hello again, In the first, I was run a subfinder with httpx and got about 100 subdomains is alive and send this output to the nuclei public templates not a private. And after this, I will still wait to finish those tools but with the owasp zap proxy I was doing some manual searching about bugs with this proxy, and still nothing Important but after the Nuclei finished I found a subdomain with Info severity file called /.DS_Store after this, I clone the ds_store_exp tool and use it to dump the file after dump I found a directory with a debug error from a Laravel Framework called Symfony to watch the image below..

再次问好,在第一个例子中,我用 httpx 运行了一个子查找程序,得到了大约100个子域名是活的,然后将这个输出发送给核心公共模板,而不是私有模板。在这之后,我仍然会等待完成这些工具,但与 owasp zap 代理我做了一些手工搜索的错误与这个代理,仍然没有什么重要的,但在细胞核完成后,我发现了一个子域的信息严重性文件称为/。在这之后,我克隆了 DS store exp 工具,并使用它在转储之后转储文件,我从一个名为 Symfony 的 Laravel Framework 中发现了一个调试错误的目录来观察下面的图像。.

Symfony Profiler Search Bar 搜索栏

But before that, I just saw a big error I can’t understand anything about it but after some clicks, I got the image above. let’s continue

但在此之前,我只是看到一个大错误,我不能理解有关它的任何东西,但经过一些点击,我得到了上面的图像。我们继续

But after that, I report the bug as just debug enabled but one from the trigger team told me it’s not a bug what is the impact you can get from it, In the first reaction from me it was I can’t get anything but after some minutes about one hour, I click on the latest button on the left and found cookies and IP it’s not formed me it was for one from the trigger team in the program and I try to use that cookie on the main site It was the exciting thing I take over the account with just a debug mode enabled just need one click from the user to go to the error page and I can just steal his cookies.

但是在那之后,我报告的错误只是调试启用,但是一个来自触发器团队告诉我,它不是一个错误,什么是你可以得到的影响,从我的第一个反应是,我什么也得不到,但几分钟后,我点击左边的最新按钮,发现 cookie 和 IP 它不形成我,它是一个从触发器团队在程序中,我试图使用该 cookie 的主网站它是令人兴奋的事情我接管帐户只是一个调试模式启用 cookie 只需要一个点击从用户到错误页面,我可以偷他的。

I think it is a high impact now but the team considers it as a medium, I don’t understand why.

我认为这是一个高影响现在,但团队认为它作为一个媒介,我不明白为什么。

Conclusion

总结

The Conclusion is how the ds-store file is important and can make you get bugs from it, you just need to focus more on what you got from your recon, and God willing you will get a bounty rewarded.

结论是 ds-store 文件非常重要,可以让你从中得到 bug,你只需要更多地关注你从侦察中得到的东西,上帝保佑你会得到奖赏。

TimeLine

时间轴

1 — Submit the Report on Aug 14th — 2021.

1.2021年8月14日ー2021年8月14日提交报告。

2 — More information at Aug 14th — 2021.

2ー2021年8月14日更多信息。

3 — Send new information on Aug 14th — 2021.

3ー8月14ー2021日发送新信息。

4 — Triged on Aug 14th — 2021.

4ー2021年8月14日ー2021年。

5 — Receive a bounty on Aug 19th — 2021 It was a 500$ bounty and 500$ bonus.

5.8月19日ー2021年8月19日收到的奖金是500美元的奖金和500美元的奖金。

Please don’t forget to follow me on the Twitter to watch new blogs from me on @0xELkomy and if you have any comment also send to me thanks. Feel free to connect with me if you have anything.

请不要忘记在 Twitter 上关注我的新博客@0xELkomy,如果你有任何评论也发送给我,谢谢。如果你有什么需要,请随时与我联系。

Thank you to read the full blog

谢谢阅读完整的博客

Regards,

问候,

xElkomy