Say you had the following information for a crowdfunding platform. Best way to use it?
My next move is utilizing AWS secrets to dump their DB from AWS RDS. It should be possible, just need to read up on how to get it done. Next, I'd like to see what can be done with the Stripe key and secrets.

What would you do with this?

- SERVER['HOSTNAME']
- SERVER['HTTP_CF_RAY']
- SERVER['HTTP_X_AMZN_TRACE_ID']
- SERVER['aws_s3_bucket']
- SERVER['aws_s3_private_bucket']
- SERVER['AWSAccessKeyId']
- SERVER['AWSSecretKey']
- SERVER['CLOUD_PATH']
- SERVER['DB_DATABASE']
- SERVER['DB_HOST']
- SERVER['DB_PASSWORD']
- SERVER['DB_PORT']
- SERVER['DB_USERNAME']
- SERVER['defaultAdminPassword']
- SERVER['defaultEmailListPassword']
- SERVER['defaultSnn']
- SERVER['defaultSupportPassword']
- SERVER['google_maps_key']
- SERVER['google_search_api_key']
- SERVER['google_search_api_cx']
- SERVER['mailgunApiKey']
- SERVER['payPalClientId']
- SERVER['payPalClientSecret']
- SERVER['READ_REPLICA_HOST']
- SERVER['Recaptcha_Secret']
- SERVER['Recaptcha_SiteKey']
- SERVER['REDIS_HOST']
- SERVER['Secret']
- SERVER['SiteKey']
- SERVER['stripe_connect']
- SERVER['stripe_connect_live']
- SERVER['stripe_connect_test_mode']
- SERVER['stripe_pub']
- SERVER['stripe_pub_test_mode']
- SERVER['stripe_secret']
- SERVER['stripe_secret_live'
- SERVER['stripe_secret_test_mode']
- SERVER['VAULT_ADDRESS']
- SERVER['VAULT_TOKEN']
- SERVER['forexAPIKey']
- SERVER['SEON_API_KEY']

There's a ton more that I didn't include because I didn't think they were relevant/useful.

first and foremost check the buckets for backups in the s3 buckets , if none, check if aws keys have enough perms to actually make changes to RDS inbound rules etc, with stripe u can utilize their API to export their user data for that ORG

(October 20, 2022, 03:52 AM)aobowo Wrote: first and foremost check the buckets for backups in the s3 buckets , if none, check if aws keys have enough perms to actually make changes to RDS inbound rules etc, with stripe u can utilize their API to export their user data for that ORG

I've started going through the stripe API documentation. I was initially hesitant to check out the s3 buckets / AWS because I'm not sure how closely they're monitoring things. I suppose it's safe to assume security isn't necessarily their strong suite seeing how easily I found the information I did. Regardless, I want to make sure I'm able to exfil everything when I access it in case I'm locked out.
I'll report back with what I find. Probably post some freebies.

(October 20, 2022, 07:52 PM)somepro Wrote:

(October 20, 2022, 03:52 AM)aobowo Wrote: first and foremost check the buckets for backups in the s3 buckets , if none, check if aws keys have enough perms to actually make changes to RDS inbound rules etc, with stripe u can utilize their API to export their user data for that ORG

I've started going through the stripe API documentation. I was initially hesitant to check out the s3 buckets / AWS because I'm not sure how closely they're monitoring things. I suppose it's safe to assume security isn't necessarily their strong suite seeing how easily I found the information I did. Regardless, I want to make sure I'm able to exfil everything when I access it in case I'm locked out.
I'll report back with what I find. Probably post some freebies.

Are... are you sure they are even valid?