How I hacked 74k users of a website.

Utkarsh Agrawal
Mar 11, 2018 · 2 min read

Hello guys,

I follow this Quote “Sharing is Caring” so I decided to share my vulnerability which I found in a website and the vulnerability I named it is “Admin Panel Pawned”. Now Sounds Interesting. Let’s talk about How I found it?

I am not taking the name of the website but instead I use example.com and also I don’t have screenshots, but I will try my best to explain it clearly. ;)

So while I browsing the website for 1 hour I noticed that a directory is present in the website which is the “admin” directory. Now every researcher will go excited to test that directory as I was.

When I go for that directory it says “No Access” error. As I was 90% sure.

Now we all have a great tool i.e. dirbuster. If newbie are reading this, and don’t know about dirbuster ( it is a tool for bruteforce the directory. Or Directory Bruteforcer.)

So I ran it on that directory like http://example.com/admin/

So I just minimize the dirbuster window and go for check other vulnerabilities ( and yeah I found 2 XSS one is simple and other one is “filtered bypass XSS protection” :P ). So When I Come back and check the dirbuster what I see a Bunch of the directories are available.

So I was like

But When I go for check it, I got “No Access”. But I know that I have some malicious stuff in my hand so I want to dig more.

And then I got a file i.e. remove_access.php

So when I go for it, I got a super cool webpage which have a user input field for Username with a delete button.

Now When I type my Username into it. It remove my account successfully from it. I screamed loudly. :p

This is the screenshot after removing the account. This is only the screenshot I have.

Now I can delete any user (from the list of 74k) in their website, Even the ADMIN itself.

So, I quickly go to report the issue, with the XSS vulnerabilities.

Then I get a quick reward, and also they changed the 50%code of their website. And they invite me for pentest their new site Comprehensively.

Now, guys this is really a amazing experiance. I always want to pwned Admin panel and I did it.

Nothing to say more. But, Thank you very much for reading this blog.

Contact:

https://twitter.com/@agrawalsmart7

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store