I follow this Quote “Sharing is Caring” so I decided to share my vulnerability which I found in a website and the vulnerability I named it is “Admin Panel Pawned”. Now Sounds Interesting. Let’s talk about How I found it?
I am not taking the name of the website but instead I use example.com and also I don’t have screenshots, but I will try my best to explain it clearly. ;)
So while I browsing the website for 1 hour I noticed that a directory is present in the website which is the “admin” directory. Now every researcher will go excited to test that directory as I was.
When I go for that directory it says “No Access” error. As I was 90% sure.
Now we all have a great tool i.e. dirbuster. If newbie are reading this, and don’t know about dirbuster ( it is a tool for bruteforce the directory. Or Directory Bruteforcer.)
So I ran it on that directory like http://example.com/admin/
So I just minimize the dirbuster window and go for check other vulnerabilities ( and yeah I found 2 XSS one is simple and other one is “filtered bypass XSS protection” :P ). So When I Come back and check the dirbuster what I see a Bunch of the directories are available.
So I was like
But When I go for check it, I got “No Access”. But I know that I have some malicious stuff in my hand so I want to dig more.
And then I got a file i.e. remove_access.php
So when I go for it, I got a super cool webpage which have a user input field for Username with a delete button.
Now When I type my Username into it. It remove my account successfully from it. I screamed loudly. :p
This is the screenshot after removing the account. This is only the screenshot I have.
Now I can delete any user (from the list of 74k) in their website, Even the ADMIN itself.
So, I quickly go to report the issue, with the XSS vulnerabilities.
Then I get a quick reward, and also they changed the 50%code of their website. And they invite me for pentest their new site Comprehensively.
Now, guys this is really a amazing experiance. I always want to pwned Admin panel and I did it.
Nothing to say more. But, Thank you very much for reading this blog.