The easiest admin panel bypass

In this article, I will discuss a vulnerability I identified that enabled me to bypass the admin panels of several organizations utilizing extplorer services.

Let’s discuss first what is eXtplorer.
eXtplorer is an open-source web-based file manager typically used for managing files and directories on web servers. It provides a graphical interface that allows users to upload, download, edit, and manipulate files directly through a web browser.

So for finding the dashboards of extplorer I used a simple shodan dork

title:”explorer”

After finding multiple dashboard’s url and ip I started exploring them one by one and select some domains to exploit them.

After some hit and try cases I finally found some ips which were vulnerable to admin panel bypass.

So let’s start the process for exploitation.

First open the ip and it’ll show the dashboard something like this

Now let’s open the burpsuite and turn on the intruder to intercept the requests. Enter admin as both username and password.

Let’s intercept the particular request where the username and password is shown in plain text.

Now remove the password field from the request to login as an admin of the dashboard. The request will look like this

After editing the request, forward it and turn of the intercept.

And go back to the browser and boom we have bypassed the admin panel with this simple method.

I hope you all like this article, hope to publish more articles soon.

Thanks for reading