Admin Account total Information Disclosure

Nishant Saurav
Jun 15, 2019 · 2 min read

Hi Everyone, this is my 2nd writeup on the issue I found on one of India’s premier website for sharing Startup and Tech News.

I was actually hunting for the “Source Code Disclosure” Vulnerability. To do so, I only captured the request i.e. https://www.xyz.com/idnf.

where ‘idnf’ is the identifier which could be anything.

Image for post
Image for post

But when one by one I started checking the Payload results. I opened a request/ Payload/ File named as ‘1’ as shown in the screen capture below.

Image for post
Image for post

The Vulnerability was pretty much straight forward. It was Information Disclosure and the Source Code Disclosure as well and that too at the admin level.

I was like...

The website was based on the WordPress and all the content including IP of the DB, admin panel, and the Database’s name, id, and password was contained in this file in the plaintext as shown in the screenshots below.

Image for post
Image for post
Image for post
Image for post

As soon as I got these Pieces of information I tried connecting and I was successful. So, Informed the owner of the website and they patched the issue fucking quickly. ( by quickly I meant, they hardly took 4 hours to recheck the issue and respond back to them for the bounty). So, I checked and confirmed the mitigation and on Wednesday I received my Bounty of $200. Not Big though but quite a good amount looking at the size of the company.

Thanks for being here reading till now. Please mention in comments if you need more information in my writeups if I am missing out something because I am new to all these articulating stuff.

If you have any questions you can always find me on Twitter from the link below.

Twitter: https://twitter.com/inishantsinha

:D

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store