REST framework Admin Panel bypass and how I recon for this vulnerability

Hi, This is Aziz Hakim a.k.a hackerb0y

This is my first write-up, I will try to share something that might help you and obviously pardon my mistakes.

This is blog is all about how I recon for the program, specially the sub domain where I got the vulnerability.

Choosing a Program :)

I never care how many researcher already working there, I set my mind that I am the first guy here to submit at least one vulnerability. Never upset that, I got a private invitation and in this program why so many researcher are there? But ask yourself, there are numerous researcher that’s mean this program is so buggy / vulnerable ? Yes, that’s the words or motivation should have in you. Though I am not enough motivated -_-

Instead of upsetting, read the program scopes and description carefully and see what they do accept and what they do not!!!

Imagine the program’s name is “hackerboy.com”

Starting Test

Whenever I go for a test a new program, I always start with

Sub-domain Enumeration

knockpy hackerboy.com

python sublist3r.py -u hackerboy.com

aquatone

webscreenshot

I think these are enough for sub-domain enumerating!

After sub-domain’s info gathered, I chose few sub and tried for some known vulnerabilities, but I could not succeed. I went to google, github, censys, shodan for gathering more info, but I didn’t find anything special.

After one day, while checking all screenshots again, one screenshot took my attention :|

The screenshot was about a sub-domain, which is like fullapi.hackerboy.com

When I visit, I saw some error

Path are Exposing

All we love to go to find something on “/admin” login page, huh? Don’t we? ✌️

Then I went to “fullapi.hackerboy.com/admin” and I saw an interesting response 😛

Django Admin Login

Wait, authenticated? :/

At a glance, I tried with some brute-force attack but didn’t success. Then I did a dirsearch. Then suddenly, I thought Path are already exposing, why should I go for dirsearch? :/

Then I started trying with every path that are exposing. I have visited “fullapi.hackerone.com/account_mngr” and saw this 😵

Account Manger List Without Authenticated

I click on the “Log in” button, in the right top corner.

and I went to a Login Page.

Django Login

Here comes most significant part of this write-up.

How I bypassed it ? How I logged into this Admin Panel ?

account.hackerboy.com is for all users. Meanwhile, you can create an account and login there! But fullapi.hackerboy.com doesn’t have any registration option either normal users can not login without hackerboy.com’s staffs or employee. Because it’s an “admin panel

What I did here is I have created an account on “account.hackerboy.com” and I entered the same login info on “fullapi.hackerboy.com” and guess what ? The server let me logged into the Admin Panel. ^_^

Admin Panel

w00t? Phone number and other credentials of CEO? 😮

I was thinking that time, why the server let me logged into this panel ? :/ Then suddenly I thought maybe the role of users doesn’t set properly or the server checks only the user is valid or not, if the user account is valid the server let logged anyone into the panel.

One more thing is I think by having authentication misconfiguration anyone can login with user’s registered info! I might me wrong!!!

What can I do with this Admin Panel ?

Full access / Write data on server

Bounty?

Report triaged on HackerOne, don’t know about the bounty yet.

Find Me:

You can ask me anything on my Facebook or Twitter regarding #infosec #bugbounty I will try to help.

Thanks for your valuable time to read it. ^_^

Aziz Hakim

Written by

twitter.com/hackerb0y_

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade