Hey guys
its been a while i have blogged , so i thought to share my old admin panel hijacks . So All was from a simple trick . so last time i have blogged an session prediction issue to bypass authentication , so i will explain an technique via bruteforce !
i know what you are thinking , bruteforce means guessing the login details ri8? no its not , here bruteforce means guessing the directories ... confusing ? so lets get into action !
What are the mistakes done by developers ?
- Makes a same authentication for normal users and admin
- verify's the normal users session while reaching to admin panel
- but failes to verify when normal users reach into directories of admin panel ! this could lead to authentication bypass !
#My stories on authentication bypass
1) Tesla Services admin panel takeover
- I Just ran an normal subdomain scan using knock and got the http://service.teslamotors.com
- Then I have registered as normal user
- So I put /admin at the end and i Got redirected to http://assets.teslastatic.com/index.html , I was surprised without showing any 404 page it redirected me
- So I have Confirmed the admin directory by generating an 404 like https://service.teslamotors.com/admin/lol
- As i guessed it showed me "Access Denied"
- So i ran a directory bruteforce with dirbuster and found an internal directory /admin/bulletins was not validated ,
- From this Url I was able to Delete Document , Modify Documents ..etc ,
- @sai shanthan helped in grabing the site and its admin panel by generating 404 , that helped a lot in this process , and I just ran a dirbust scan and got the access
2) OTOY admin panel takeover !
- Same as tesla , Here also i ran an Subdomain scan and got https://account.otoy.com/
- Same registered as normal user
- And navigated to /admin it showed "You are not authorized to perform this action."
- So I have ran again an directory bruteforce with dirbuster , and got some juicy urls where i could access via normal user session only
- Almost 1005*25 Users details leaked , We could change other passwords , and delete those users . this was the best admin panel i have ever hacked
- Sometimes you Get Read only access at that time you need to use your ninja skills to evade it xD
Both teams paid me a decent Bounty for these bugs , and thanks for reading . Just Comment and let me know Your feedback
Regards
N B
its been a while i have blogged , so i thought to share my old admin panel hijacks . So All was from a simple trick . so last time i have blogged an session prediction issue to bypass authentication , so i will explain an technique via bruteforce !
i know what you are thinking , bruteforce means guessing the login details ri8? no its not , here bruteforce means guessing the directories ... confusing ? so lets get into action !
What are the mistakes done by developers ?
- Makes a same authentication for normal users and admin
- verify's the normal users session while reaching to admin panel
- but failes to verify when normal users reach into directories of admin panel ! this could lead to authentication bypass !
#My stories on authentication bypass
1) Tesla Services admin panel takeover
- I Just ran an normal subdomain scan using knock and got the http://service.teslamotors.com
- Then I have registered as normal user
- So I put /admin at the end and i Got redirected to http://assets.teslastatic.com/index.html , I was surprised without showing any 404 page it redirected me
- So I have Confirmed the admin directory by generating an 404 like https://service.teslamotors.com/admin/lol
- As i guessed it showed me "Access Denied"
- So i ran a directory bruteforce with dirbuster and found an internal directory /admin/bulletins was not validated ,
- From this Url I was able to Delete Document , Modify Documents ..etc ,
- @sai shanthan helped in grabing the site and its admin panel by generating 404 , that helped a lot in this process , and I just ran a dirbust scan and got the access
2) OTOY admin panel takeover !
- Same as tesla , Here also i ran an Subdomain scan and got https://account.otoy.com/
- Same registered as normal user
- And navigated to /admin it showed "You are not authorized to perform this action."
- So I have ran again an directory bruteforce with dirbuster , and got some juicy urls where i could access via normal user session only
- Almost 1005*25 Users details leaked , We could change other passwords , and delete those users . this was the best admin panel i have ever hacked
- Sometimes you Get Read only access at that time you need to use your ninja skills to evade it xD
Both teams paid me a decent Bounty for these bugs , and thanks for reading . Just Comment and let me know Your feedback
Regards
N B
Wow awesome finding bro :D
ReplyDeleteWow awesome finding bro :D
ReplyDeleteThis is because the testers there didn't check their systems for access control properly! :) I love Autorize plugin for burp! Does a fantastic job. Anyways nice! I always use dirb
ReplyDeleteI never thought I will come in contact with a real and potential hacker until I knew brillianthckers800 at Gmail and he delivered a professional job,he is intelligent and understanding to control jobs that comes his way
ReplyDeleteContact him and be happy