Unauthorized access to admin setpassword page BY bypassing 403 Forbidden

Hi, everyone

My name is Santosh Kumar Sha, I’m a security researcher from India(Assam). In this article, I will be describing how I was able to access the Admin setpassword page by just bypassing 403 Forbidden

TOOLS used for the exploitation

1. Subfinder (https://github.com/projectdiscovery/subfinder)

2. httpx (https://github.com/projectdiscovery/httpx)

Story of my first bounty:

This is the write of my Recent bug that i found . While I was doing recon for gathering all subdomain and resolving every domain I got an idea why not look for exposed admin and setpassword dashboard without any directory brute-forcing. So after thinking for a hour i got idea why not add my file and directory wordlist path in url and then resolve to see which all are resolving and if there any exposed admin panel.

Here it goes:

To gather all the subdomain i used subfinder

Command used:

subfinder -d target.com -silent

Now After gather all subdomain I want to add “/admin” to all the domain and resolve them to check for any exposed admin panel or admin setpassword dashboard.

Command used

subfinder -d target.com -silent | sed ‘s/$/\/admin/’

subfinder -d target.com -silent | sed ‘s/$/\/setpassword/’

So the target was very large having 30k+ domain so check one by one was very time consuming so make these easier I used “-title” to get the title and “-status-code” to get status code and “-content-length” to get the response length option with httpx to narrow down my task.

So the final command will look like this:

subfinder -d target.com -silent | sed ‘s/$/\/admin/’ | httpx -title -status-code -content-length

But unfortunately there was no admin dashboard exposed . But in all that output of httpx I thing notice that in all 404 status there was a url with status 302 and content-length of 111 But no success i stuck and fully exhausted.

But I was not expecting my failure , I thought why not just use subfinder and httpx to brute-force files and directory at same time So Now I use my bash skill in process so I came up with this

for word in $(echo test); do echo “$file” | xargs -I% sh -c ‘echo “example.com” | httpx -silent -path /%/%.jsp -title -status-code -content-length’ ;done

OUTPUT:
https://example.com/test/test.jsp

Here as you can see i have used the word that i want test for files and directory with extension as jsp

So, Now lets do it on whole target So the finally command will be like these where will be scan whole *.example.com with your wordlist and extension to look for

for files in $(cat wordlist.txt); do echo “$files” | xargs -I% sh -c ‘subfinder -d example.com -silent | httpx -silent -path /%/%.jsp -title -status-code -content-length’ ;done

After executing the command I got these url with status-code 403

https://devadmin.example.com/admin/setpassword.jsp

Now its time to Access admin setpassword Dashdoard:

Let suppose the url is https://testadmin.target.com/admin his caught my attention.

So when i visited the url https://testadmin.target.com/admin in browser it give 403 Foridden error . So after doing some googling i came across a post of Where by adding “.css” at ending of the url we can bypass the 403 . So I just added it and open the url and I was surprise to see that setpassword page of the admin.

https://devadmin.example.com/admin/setpassword.jsp?.css

I quickly reported the bug and in hour the report by triage to critical

After seeing this my reaction …

Takeaway

I’m sure that a lot of security researcher had already see there process but this how I approach to access admin dashboard , and i have reported many in HackerOne using this process, .I hope this will help to find more admin Dashboard takeover

That’s one of the reasons why I wanted to share my experience. also to highlight other techniques to exploit such vulnerability.

Support me if you like my work! Buy me a coffee and Follow me on Twitter.

Like to hack and break security code and denfense |Security Researcher |pentester | Bugbounty hunter | Pentration tester | CTF player | BUGBOUNTY

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store