Shodan - “Unauthorized access to setup panel”

Shodan- “Unauthorized access to setup panel”

In today’s writeup I will show you, how you can find setup/admin panel without giving any credentials not even default credentials 😈.

The company marked it as low and rewarded with €75 only 🥺. I will tell you why they marked it as low, keep patience.

I was searching for a bug bounty program and my 🎯 aim was to search a program that is less crowded. Luckily I got one.

We know that reconnaissance is the key 🔑 so I tried every possible ways to gather information and report some disclosure of sensitive files for that I got same bounty ✅️

After gathering subdomains I started to see 🫣 one by one and got a subdomain- status.example.com

when I opened it I was able to see the status page of the website like whether it is up or not, when updated, maintenence etc., 📝 From waybackurls I got the same domain with the /login endpoint and /setup endpoint, to access setup panel we need to provide credentials first but I didn’t know so I skipped it after trying SQL Injection 💉

Now come to shodan 🔥. As I typed the company domain like ssl:example.com I got 19000+ IPs, most of the ips are with the title “Authorization required”

So I refine my search with this ✨️- ssl:example.com http.status:200 -http.title:“Authorization required”

From the above search now I had 28 ips only 😊. Before applying any filter in shodan always do facet analysis which gives overview of filters available and its content 👇

I was checking one by one but didn’t 😶 got anything, but as I moved to the next page I saw the title Setup I opened it and got access to the server’s setup 😁 page from which I was able to manipulate the settings. Now the company marked it as low and gave €75 only.

The reason was, it was just a status page setup. I could edit the settings of this site only not for the main domain 🥲

But in this way you could 💬 find admin/setup panel of other sites. Just remember while doing shodan refine your search according to the title and status filter. http.title for removing pages having specific title add — sign before like-

-http.title:”Error”

I could get the same setup page using this search ✅️-

ssl:example.com http.status:200 http.title:”setup”

Thank you 😊