Open StickFiza opened 5 years ago
Adversis
commented
5 years ago So if there is no output beyond the one log stating that a Box account was found, then the wordlist you used did not find any open box folders/files. That being said, if you have access to the administrators of your Box account, you should be able to run a report to get the Publicly shared files. https://community.box.com/t5/How-to-Guides-for-Admins/Running-Reports/ta-p/26790
StickFiza
commented
5 years ago Thanks for the prompt response...and the clarification. As, I was writing up my findings for my Boss, I noticed something about our folders that I hadn't before. All of our shared folders have names with only numbers. In other words all of our folder names were automatically generated and only include numbers. That said, running your program and using that word list that doesn't include any numbers would not detect any of our shared folders, correct? Assuming so, any ideas how I would conduct a search that will enumerate those numbers-only folder names? I want to make sure my assessment back to my Boss didn't miss something this tool was not designed to detect.
Thanks again...
Hi,
My company uses BOX, and found out about this vulnerability a couple of weeks ago. They have asked me to investigate to let them know if our accounts were exposed. I came across your program, and thought this would be the ideal tool to use to investigate. I am new to python, and after two weeks of intense tutorials and targeted searches, I have been able to get the program to run in linux. While the program appears to run through to completion, the only feedback it ever provide me in the log it generates is: "2019-04-09 23:01:38,179 INFO [+] Found Box Account at https://mycompany.account.box.com" How do I get it provide more useful feedback, similar to what is in your code?
Thanks. StickFiza