Application SecurityUncategorized

Github Hacking for fun and… sensitive data search!

Conviso Research and Development Team is usually reading thousands and thousands of information daily and we make some filters and pay attention to some special words. We saw a very interesting post at Full Disclosure about advanced GitHub Search.

Right after reading what we shared in our internal list, this information and a little bit of Github Hacking proved that GitHub is a Disneyland of information leakage. We tried a lot of different searches and some interesting or I could say, VERY INTERESTING, as you see below.

Private Key

 

 


FTP information

 

E-mail information

MySQL Password / History

 

How about finding some possible 0days? Backdoors? Hell yeah! It’s possible too.
Check out this GitHub “Dork”:

stars:>1000 forks:>100 extension:php "eval(preg_replace("

We searched for big projects who have more than 1000 stars, 100 forks, files with PHP extension and a possible flaw that allows Remote Code Execution.

 

 

Check out other prefixes that might help you keeping your search improved GitHub Search Cheat Sheet.
Lots of FUN isn’t ? We could probably find just about anything, the sky is the limit!

So to make our lives easier we developed a tool to grab those information in a more automated way:

 
 
 

You can check the code and download it from here (but keep in mind that it is still in beta version).

Take care about what information you share. Lots of sensitive information could probably be over there. Search for information about your company before the bad guys do.

Originalmente postado no Blog da Conviso Application Security – Siga-nos no Twitter @conviso Google+
About author

Articles

A team of professionals, highly connected on news, techniques and information about application security
Related posts
Application SecurityCode Fighters

CVE: 2021–3311 October CMS Token Reactivation

Let’s talk about October CMS Token Reactivation. Don’t get me wrong, but I believe that…
Read more
Application Security

Are hashes truly One-Way functions?

So recently an interesting topic of discussion rose on one of our meetings here, what exactly are…
Read more
Application SecurityCode Fighters

JSON WEB Tokens: Tips and procedures for secure implementation

JWT (JSON WEB Tokens) is an open standard, documented by RFC-7519, that defines how to transmit and…
Read more

Deixe um comentário