Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

So basically you run an endless script to fetch https://www.tesla.com/sites/default/settings.php and hope that some day there will be a minor nginx config error which lets you download the php source instead of executing it.

This will happen some day, so invest 5 bucks per month to exploit Tesla at a certain point, so maybe you can be first in line for the Cybertruck :-)



This seems to be a too sophisticated attack, sometimes simplicity is better: https://samcurry.net/cracking-my-windshield-and-earning-1000...


Time to try naming your tesla "drop table vehicles;"


Ah good old bobby tables :)


l


Great read


this was such a great read, people like you make me want to learn more and more everyday


Pretty sure every site on IPv4 gets probed multiple times a day for common config leaks and other misconfigurations. Happens to all of mine.


Yeah, but if a gitignore tells you where to look for, and it isn't even blocked by a WAF / rule, it makes an interesting target, esp. one of the largest companies out there.

You shouldn't even be able to execute settings.php


It's a good sign there might be an exploitable file upload vulnerability, if you can find an endpoint that uploads files to a directory that's served by Apache with the same configurarion as the directory of the executable settings.php


How is it a good sign of anything like that? File upload to disk is a completely unrelated concept that depends on how php is invoked by the web server.


Sure, I'm just saying it makes an executable file upload more likely. Because if a file like settings.php is executable by Apache, it implies that (at least in this directory) any .php file is executable by Apache, rather than a single whitelisted index.php or some wsgi setup.

So maybe the same configuration applies to a user upload directory. If you find a way to upload a .php file to a web directory on the same server, there is a possibility you can execute it - with higher success probability than if you did not know about settings.php being executable.


Finally, a compelling reason to use IPv6.


This comment transported me back to 2010 or thereabouts when this happened to Facebook. I remember being surprised at the simplicity of the code and making a lot of jokes about "build a facebook clone" ads on freelance websites.


I am sure there are lots of automated scripts doing precisely that with pretty much every company that has a website.

I used to keep a hall of shame on my main site, because looking for "settings.php" or "global.asa" on a Zope site was just silly.


Except that you'll find that error long before the cybertruck ships. Heck, you'll probably see the rebirth of NFTs and BTC over US$40000 before the cybertruck ships.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: