Sensitive Data Exposure in a Moodle Config File
As a bug hunter, having a solid methodology is crucial, especially when you're just starting. It doesn't matter whether it's one you found externally or you've developed by yourself—just don’t get caught up in the noise for too long.
Process
Let’s say your target is example.com. You begin with some Google dorking using simple queries, but nothing interesting comes up.
After the initial Google Dorking yielded no interesting results, I moved on to subdomain enumeration using a reliable tool called subfinder:
subfinder -all -silent -d example.com -o subfinder.txtNext, I checked which subdomains were alive using httpx:
cat subfinder.txt | httpx -silent -sc -probe -title -td -ip -t 90 -mc 200,404,403,302,301,303,304,305,306,307,302 -o live1.txtTo dig deeper, I performed subdomain enumeration on subdomains, a technique that often uncovers hidden gems. After repeating the last command, I found a few new subdomains to test, which could potentially have interesting vulnerabilities , and found this one https://x.x.example.com
One of my favorite things to do is directory fuzzing. There are many great tools for this, like dirb, gobuster, or dirsearch. Personally, I prefer dirsearch because it offers valuable paths and is fast. I kicked it off with the following command:
dirsearch -u https://example.com/ -t 150 -x 403,404,500,429 -i 200,301,302 --random-agent and found many 200 OK, but there are most file interesting which called config.php.save
Accessing the config.php.save file revealed sensitive information, such as the database username (dbuser), password (dbpass), and other critical details. This type of exposure can lead to severe security risks if not addressed.
Sometimes you won’t find anything right away, but don’t let that stop you. Every step gets you closer to a win. Keep learning, stay curious, and don’t give up—success comes to those who keep going! 🎉
Result
Update: Resolved 🎉🎉
#Information_Disclosure
#bug_hunting
Last updated