Exploiting Admin Panel Like a Boss
Hello Everyone (Ram Ram Ji),
Today I wanna talk about one of my unique & quickest finding on HackerOne’s Private Program. It was all about an Admin Panel Access. So let’s get started.
Scenario:
1) Bypassing Scenario for admin login page:
I picked up one of their assets from that program and while accessing that URL i simply put /admin directory at the end of that asset. I got a 403 error on that page. So I thought why not to give a shot to bypass that 403 error after that, I perform some techniques to bypass that 403 error but no success. Later, I thought why not change the host header value of that request. Then what I was noticed that the 403 error disappeared and Admin Panel Login Page appears with 200 Ok status code.
Request was looked like:
Original Request/Response:
GET /admin HTTP/1.1
Host: redacted.com
HTTP/1.1 403 Forbidden
Access Denied
Modified Request/Response (Bypass):
GET /admin HTTP/1.1
Host: google.com
HTTP/1.1 200 Ok
Admin Panel Login Page(Source Code)
2) Accessing the admin panel:
This is a favorite part of my finding. Well, whenever I testing any admin panel my first priority is that I always enter admin admin as username & password, and luckily this thing works here and I got access to the admin panel.
Steps to Reproduce (According to Report):
- Navigate to “https://redacted.com/admin" give (403 error).
- Then intercept that request with the help of Burp Suite.
- After intercept that request simply change the host header value from redacted.com to google.com & hit Go.
- You will found that the server does not validate that request properly. It simply opens up an admin panel login page.
- Now Error Changes into 403 Forbidden to 200 OK (Bypassing Done)
- But now I don’t have the right credentials to get access to the admin panel.
- Luckily I tried ‘admin’ as a username and ‘admin’ as a password.
- Got Success.
Timeline:
June 30, 2018 — Reported to Private Program
June 30, 2018 — Report Triaged
July 05, 2018 — Vulnerability fixed
July 22, 2018 — Bounty of $1500 USD awarded
Special thanks to nullr3x (Big Bad Bro 🤑)