Sweet information disclosure leads to non-authorized authentication

4 years ago 183
BOOK THIS SPACE FOR AD
ARTICLE AD

Abida Fahd

Hello Hackers, today I will tell you how I was able to hack into the Phpmyadmin panel of a target and read all databases content

Image for post

Image for post

The story started when I wanted to thanks my teacher for all the knowledge he gave me during my 3 years of studies in the university of computer science, so I decided to offer a free pentest service to the University(Web app testing)

So as always we have the main target ‘www.Target.com’, the first thing to do is to collect interesting information and subdomain enumeration!
I used ‘dnsdumpster.com’ for subdomains but unfortunately, I found nothing!
I moved to Sublist3r tool :
The result wasn’t that good, I got one subdomain ‘ftp.target.com’ and this is how it looks like

Image for post

Image for post

‘Ftp.target.com’

Before getting deeper on the subdomain I found, I decided to start a directory Bruteforce in the main website ‘Target.com’
The result was like this :

Image for post

Image for post

So after checking all of them, one was so interesting its the /logout/ folder!
Btw /web.confing nothing interesting inside ^^
So when we enter the ‘Target.com/logout/ we find this :

Image for post

Image for post

Its a login page and you know what kind of stuff we can try when it cams to this :3!
So first thing is to try random login and password!
And no no no no as expected, but something wrong happened !!!

Image for post

Image for post

I got this huge error page lol, it seems that there is no condition check when it came to wrong or null credinticals, and it shows you from where the error came from and it also shows the line of the source code used inside the app LOOOL!

I had a feeling that by analyzing these error codes I may find something interesting and yes! after some munites I was able to find this :

Image for post

Image for post

This was so sweet to see, and now its time to find how we can use this!
basically its database credentials but as we already saw there is no PHPMyAdmin folder when I check for directories …
In this case, I switched to the second subdomain and tried to see if there are any hidden folders!
The result was about one directory called /pma/ its seems like the abbreviation of PHPMYADMIN lets check it :D

Image for post

Image for post

And yes it is !!

So now I had just to use the user and pass I already found to log-in!
For the first time, it didn't work, but no error generated! I understood that the credentials are correct but since I'm not in the same country as the target is, I needed to change my Ip address in order to be able to log-in,
I used My phone with a VPN also to make sure that the problem is not from my computer browser, you know chrome stuff…

Image for post

Image for post

And voila!

Thanks for reading hope you share it if you like it ❤

Read Entire Article