Shulou(Shulou.com)05/31 Report--

How to use Github to detect and discover Tesla API request vulnerabilities, many novices are not very clear about this, in order to help you solve this problem, the following small series will explain in detail for everyone, people who have this need can learn, I hope you can gain something.

The following describes that the username and password credentials of a Tesla server are found through Github Recon. Through this credential, a request can be successfully made to Tesla background API interface to realize sensitive data return.

vulnerability discovery

Because I'm familiar with the help desk and administrator roles, but haven't dabbled much in network security before, I'm still working on the security industry. Over the last few days, I've been watching@Th4G3nt3lman's Github Recon video tutorial on manual Github detection techniques, including keyword lookup and special library discovery. After reading it, I tried to learn and sell it myself, and I took Tesla as a target to search for it, such as:

"tesla.com" password=

Nothing was discovered, so let's change it again:

"tesla.com" pass=

There is no return result. Again:

"tesla.com" pwd=

Here we have:

It's a Tesla codebase, and it's updated three days ago:

As can be seen from the above code:

1. It is the code that interacts with ServiceNow, a professional cloud IT business management tool. I am familiar with ServiceNow.

The username user and password pwd are base64 codes that can be decoded.

test verifies

With this certificate in hand, I thought about how to use it. With the help of CTF experience, I successfully decoded the base64 encoding field above with the online CyberChef tool, so that I could log in for testing.

Embarrassingly, when I tried to log in to Tesla adfs (https://sso.tesla.com/adfs/) with clear credentials, it prompted multi-factor authentication and verification of the user's mobile phone number, which was a bit difficult.

API saved the world

At this point, there seemed to be no hope. However, since I know ServiceNow, its API interface is often used in my work, so I want to try the Tesla API interface here. So I constructed a request with PostMan containing the credentials above to see if I could return a valid response.

From the list of Tesla API interfaces I have probed, I have selected several execution requests, BOOM! There is no need for permission verification at all, HTTP 200 ! It is worth noting that the request I constructed was not large, but the returned data actually crashed PostMan, which shows that the response data is very much.

ServiceNow is a cloud service management tool. After installation, it will include a service named "MID Server", which is responsible for pushing data information to cloud instances, including active directory data such as users and hosts. This is ServiceNow's function of linking events or help desk tickets to specific users, and it is also a means for engineers to import and manage items in ServiceNow's production system.

That is, through instance requests, attackers can obtain all internal services, including IP addresses and system information descriptions, as well as some excellent request changes, event information, or service request tickets.

For this reason, I deliberately wrote a PowerShell script and converted it into Python, which can be used to realize the data download of the entire ServiceNow instance. With this feature, the vulnerability was eventually upgraded from P4 to P1.

After the vulnerability was reported, Tesla immediately deleted the code base three hours later, after which Tesla added MFA verification to the ServiceNow instance request in the API interface request.

experience summary

To be good at applying search syntax, the Tesla codebase mentioned above has been exposed to the Internet for more than 3 years, and the updated code happened to be discovered by me.

Automated tools can't find everything, sometimes you have to do it yourself.

Any vulnerability can be found, and some vulnerabilities don't require too much vulnerability technology, but only if you understand some application logic and know where to start.

Did reading the above help you? If you still want to have further understanding of related knowledge or read more related articles, please pay attention to the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.