Unauthorized access to admin setpassword page BY bypassing 403 Forbidden
My name is Santosh Kumar Sha, I’m a security researcher from India(Assam). In this article, I will be describing how I was able to access the Admin setpassword page by just bypassing 403 Forbidden
TOOLS used for the exploitation
1. Subfinder (https://github.com/projectdiscovery/subfinder)
2. httpx (https://github.com/projectdiscovery/httpx)
Story of my first bounty:
This is the write of my Recent bug that i found . While I was doing recon for gathering all subdomain and resolving every domain I got an idea why not look for exposed admin and setpassword dashboard without any directory brute-forcing. So after thinking for a hour i got idea why not add my file and directory wordlist path in url and then resolve to see which all are resolving and if there any exposed admin panel.
Here it goes:
To gather all the subdomain i used subfinder
subfinder -d target.com -silent
Now After gather all subdomain I want to add “/admin” to all the domain and resolve them to check for any exposed admin panel or admin setpassword dashboard.
subfinder -d target.com -silent | sed ‘s/$/\/admin/’
subfinder -d target.com -silent | sed ‘s/$/\/setpassword/’
So the target was very large having 30k+ domain so check one by one was very time consuming so make these easier I used “-title” to get the title and “-status-code” to get status code and “-content-length” to get the response length option with httpx to narrow down my task.
So the final command will look like this:
subfinder -d target.com -silent | sed ‘s/$/\/admin/’ | httpx -title -status-code -content-length
But unfortunately there was no admin dashboard exposed . But in all that output of httpx I thing notice that in all 404 status there was a url with status 302 and content-length of 111 But no success i stuck and fully exhausted.
But I was not expecting my failure , I thought why not just use subfinder and httpx to brute-force files and directory at same time So Now I use my bash skill in process so I came up with this
for word in $(echo test); do echo “$file” | xargs -I% sh -c ‘echo “example.com” | httpx -silent -path /%/%.jsp -title -status-code -content-length’ ;done
Here as you can see i have used the word that i want test for files and directory with extension as jsp
So, Now lets do it on whole target So the finally command will be like these where will be scan whole *.example.com with your wordlist and extension to look for
for files in $(cat wordlist.txt); do echo “$files” | xargs -I% sh -c ‘subfinder -d example.com -silent | httpx -silent -path /%/%.jsp -title -status-code -content-length’ ;done
After executing the command I got these url with status-code 403
Now its time to Access admin setpassword Dashdoard:
Let suppose the url is https://testadmin.target.com/admin his caught my attention.
So when i visited the url https://testadmin.target.com/admin in browser it give 403 Foridden error . So after doing some googling i came across a post of Where by adding “.css” at ending of the url we can bypass the 403 . So I just added it and open the url and I was surprise to see that setpassword page of the admin.
I quickly reported the bug and in hour the report by triage to critical
After seeing this my reaction …
I’m sure that a lot of security researcher had already see there process but this how I approach to access admin dashboard , and i have reported many in HackerOne using this process, .I hope this will help to find more admin Dashboard takeover
That’s one of the reasons why I wanted to share my experience. also to highlight other techniques to exploit such vulnerability.