{"id":439,"date":"2024-10-16T22:16:24","date_gmt":"2024-10-16T20:16:24","guid":{"rendered":"https:\/\/bergee.it\/blog\/?p=439"},"modified":"2024-10-16T23:24:51","modified_gmt":"2024-10-16T21:24:51","slug":"accessing-admin-panel-with-fuzzing-digging-and-guessing","status":"publish","type":"post","link":"https:\/\/bergee.it\/blog\/accessing-admin-panel-with-fuzzing-digging-and-guessing\/","title":{"rendered":"Accessing admin panel with fuzzing, digging and guessing"},"content":{"rendered":"<p>Hello folks<\/p>\n<p>This time I want to tell you the story how I gained access to some admin functionalities\u00a0 and leaked some sensitive info using FUFF, Burp, my eyes, and brain :).<\/p>\n<h3>Fuzzing<\/h3>\n<p>Let&#8217;s call the target &#8220;redacted.com&#8221;. I started fuzzing the target with FUFF and found an <em>\/admin<\/em> endpoint<\/p>\n<blockquote><p>https:\/\/redacted.com\/app\/admin<\/p><\/blockquote>\n<p>which displayed: &#8220;Sorry you&#8217;re not authorized to access the page&#8221; when entering the site.\u00a0 I moved on to testing other parts of an application. Later, I read Sam Curry&#8217;s article on Starbucks hacking by attacking secondary contexts :<\/p>\n<p><a href=\"https:\/\/samcurry.net\/hacking-starbucks\">https:\/\/samcurry.net\/hacking-starbucks<\/a><\/p>\n<p>I recommend reading it. I entered this site again and logged all the requests. But nothing was interesting besides the endpoint which gave me 403 response in burp.\u00a0 I tried playing with this endpoint as in the the article, but I quickly realized this is not the case. However, if I appended anything after the \/admin\/ such as:<\/p>\n<blockquote><p>https:\/\/redacted.com\/app\/admin\/xxx<\/p><\/blockquote>\n<p>I&#8217;ve got 404 response, so&#8230; BINGO. It should be 403, isn&#8217;t it?.<\/p>\n<h3>More fuzzing<\/h3>\n<p>I started the FUFF again and in a minute I found the <em>\/orders<\/em> endpoint:<\/p>\n<blockquote><p>https:\/\/redacted.com\/app\/admin\/orders<\/p><\/blockquote>\n<p>which returned a code with order IDs and numbers. Ok if we have some list of orders, now there must be an endpoint to view the order details.\u00a0 I tried to look for it somewhere in JavaScript files, with no luck, though. As I was already familiar with the app, I tried to guess it. After some trial and errors I guessed both endpoint and parameter name and it was:<\/p>\n<blockquote><p>https:\/\/redacted.com\/app\/admin\/orderdetails?orderdid=1<\/p><\/blockquote>\n<p>I could view the details of the first order in the system.<\/p>\n<p>&nbsp;<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-450 size-full\" src=\"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2024\/10\/order_details_redacted-2.jpg\" alt=\"\" width=\"1845\" height=\"793\" srcset=\"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2024\/10\/order_details_redacted-2.jpg 1845w, https:\/\/bergee.it\/blog\/wp-content\/uploads\/2024\/10\/order_details_redacted-2-300x129.jpg 300w, https:\/\/bergee.it\/blog\/wp-content\/uploads\/2024\/10\/order_details_redacted-2-1024x440.jpg 1024w, https:\/\/bergee.it\/blog\/wp-content\/uploads\/2024\/10\/order_details_redacted-2-768x330.jpg 768w, https:\/\/bergee.it\/blog\/wp-content\/uploads\/2024\/10\/order_details_redacted-2-1536x660.jpg 1536w, https:\/\/bergee.it\/blog\/wp-content\/uploads\/2024\/10\/order_details_redacted-2-850x365.jpg 850w\" sizes=\"auto, (max-width: 1845px) 100vw, 1845px\" \/><\/p>\n<h3>Digging in js files<\/h3>\n<p>So far so good. I could report it, but if I found these two endpoints, there must be more of them. I tried to fuzz this admin endpoint some more with FUFF\u00a0 using different lists but with no luck :(. Next day with fresh mind I decided to dive into javascript files by hand. I clicked around the app , logging the requests in burp and then looking through the js files. After a while\u00a0 I found some big chunks of commented out js code. And there where some endpoints I&#8217;ve never seen before using that app. I thought that these might be some admin endpoints as they started with: delete, remove, publish, unpublish words.\u00a0 It was some kind of e-learning app, so let&#8217;s assume these endpoins were like:<\/p>\n<blockquote><p>https:\/\/redacted.com\/app\/admin\/deleteCourse<\/p>\n<p>https:\/\/redacted.com\/app\/admin\/removeCourse<\/p>\n<p>https:\/\/redacted.com\/app\/admin\/unpublishCourse<\/p>\n<p>https:\/\/redacted.com\/app\/admin\/publishCourse<\/p><\/blockquote>\n<p>Reading js files and ajax requests I could easily construct the proper requests as I had the endpoints, the methods and the parameters.<\/p>\n<h3>The POC<\/h3>\n<p>The hard part was to create the POC not damaging any data in the app. As I could not create my own course, I decided to find the endpoint which gets the course id and then based on the responses, find the one that does not exist. That was pretty easy , just using the app and logging the requests. Then I used this course id in the endpoints mentioned above. If The status code returned 200, that was the proof the endpoints were not properly secured. After some digging I found some more enpoints. I reported all the finding and was rewarded a nice bounty.<\/p>\n<p>&nbsp;<\/p>\n<p>Reward : 2000 USD<\/p>\n<p>See you next bug<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hello folks This time I want to tell you the story how I gained access to some admin functionalities\u00a0 and leaked some sensitive info using FUFF, Burp, my eyes, and brain :). Fuzzing Let&#8217;s call the target &#8220;redacted.com&#8221;. I started fuzzing the target with FUFF and found an \/admin endpoint https:\/\/redacted.com\/app\/admin which displayed: &#8220;Sorry you&#8217;re&#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1,32,29],"tags":[],"class_list":["post-439","post","type-post","status-publish","format-standard","hentry","category-bez-kategorii","category-bug-bounty","category-write-up"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.2 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Accessing admin panel with fuzzing, digging and guessing - Bergee&#039;s Stories on Bug Hunting<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/bergee.it\/blog\/accessing-admin-panel-with-fuzzing-digging-and-guessing\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Accessing admin panel with fuzzing, digging and guessing - Bergee&#039;s Stories on Bug Hunting\" \/>\n<meta property=\"og:description\" content=\"Hello folks This time I want to tell you the story how I gained access to some admin functionalities\u00a0 and leaked some sensitive info using FUFF, Burp, my eyes, and brain :). Fuzzing Let&#8217;s call the target &#8220;redacted.com&#8221;. I started fuzzing the target with FUFF and found an \/admin endpoint https:\/\/redacted.com\/app\/admin which displayed: &#8220;Sorry you&#8217;re...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/bergee.it\/blog\/accessing-admin-panel-with-fuzzing-digging-and-guessing\/\" \/>\n<meta property=\"og:site_name\" content=\"Bergee&#039;s Stories on Bug Hunting\" \/>\n<meta property=\"article:published_time\" content=\"2024-10-16T20:16:24+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-10-16T21:24:51+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2024\/10\/order_details_redacted-2.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1845\" \/>\n\t<meta property=\"og:image:height\" content=\"793\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"bergee\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@https:\/\/twitter.com\/bergee\" \/>\n<meta name=\"twitter:site\" content=\"@bergee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"bergee\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/bergee.it\/blog\/accessing-admin-panel-with-fuzzing-digging-and-guessing\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/bergee.it\/blog\/accessing-admin-panel-with-fuzzing-digging-and-guessing\/\"},\"author\":{\"name\":\"bergee\",\"@id\":\"https:\/\/bergee.it\/blog\/#\/schema\/person\/a37382384cc58e596119b1eec4869d73\"},\"headline\":\"Accessing admin panel with fuzzing, digging and guessing\",\"datePublished\":\"2024-10-16T20:16:24+00:00\",\"dateModified\":\"2024-10-16T21:24:51+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/bergee.it\/blog\/accessing-admin-panel-with-fuzzing-digging-and-guessing\/\"},\"wordCount\":587,\"publisher\":{\"@id\":\"https:\/\/bergee.it\/blog\/#\/schema\/person\/a37382384cc58e596119b1eec4869d73\"},\"image\":{\"@id\":\"https:\/\/bergee.it\/blog\/accessing-admin-panel-with-fuzzing-digging-and-guessing\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2024\/10\/order_details_redacted-2.jpg\",\"articleSection\":[\"Bez kategorii\",\"bug bounty\",\"write-up\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/bergee.it\/blog\/accessing-admin-panel-with-fuzzing-digging-and-guessing\/\",\"url\":\"https:\/\/bergee.it\/blog\/accessing-admin-panel-with-fuzzing-digging-and-guessing\/\",\"name\":\"Accessing admin panel with fuzzing, digging and guessing - Bergee&#039;s Stories on Bug Hunting\",\"isPartOf\":{\"@id\":\"https:\/\/bergee.it\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/bergee.it\/blog\/accessing-admin-panel-with-fuzzing-digging-and-guessing\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/bergee.it\/blog\/accessing-admin-panel-with-fuzzing-digging-and-guessing\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2024\/10\/order_details_redacted-2.jpg\",\"datePublished\":\"2024-10-16T20:16:24+00:00\",\"dateModified\":\"2024-10-16T21:24:51+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/bergee.it\/blog\/accessing-admin-panel-with-fuzzing-digging-and-guessing\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/bergee.it\/blog\/accessing-admin-panel-with-fuzzing-digging-and-guessing\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/bergee.it\/blog\/accessing-admin-panel-with-fuzzing-digging-and-guessing\/#primaryimage\",\"url\":\"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2024\/10\/order_details_redacted-2.jpg\",\"contentUrl\":\"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2024\/10\/order_details_redacted-2.jpg\",\"width\":1845,\"height\":793},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/bergee.it\/blog\/accessing-admin-panel-with-fuzzing-digging-and-guessing\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/bergee.it\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Accessing admin panel with fuzzing, digging and guessing\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/bergee.it\/blog\/#website\",\"url\":\"https:\/\/bergee.it\/blog\/\",\"name\":\"Bergee&#039;s Stories on Bug Hunting\",\"description\":\"hacking, cyber security and programming\",\"publisher\":{\"@id\":\"https:\/\/bergee.it\/blog\/#\/schema\/person\/a37382384cc58e596119b1eec4869d73\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/bergee.it\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\/\/bergee.it\/blog\/#\/schema\/person\/a37382384cc58e596119b1eec4869d73\",\"name\":\"bergee\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/berdzi_drawing_150x150_x.png\",\"url\":\"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/berdzi_drawing_150x150_x.png\",\"contentUrl\":\"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/berdzi_drawing_150x150_x.png\",\"width\":129,\"height\":150,\"caption\":\"bergee\"},\"logo\":{\"@id\":\"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/berdzi_drawing_150x150_x.png\"},\"sameAs\":[\"http:\/\/localhost\/wordpress\",\"https:\/\/www.linkedin.com\/in\/bartlomiej-bergier\",\"https:\/\/x.com\/https:\/\/twitter.com\/bergee\"],\"url\":\"https:\/\/bergee.it\/blog\/author\/bergee\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Accessing admin panel with fuzzing, digging and guessing - Bergee&#039;s Stories on Bug Hunting","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/bergee.it\/blog\/accessing-admin-panel-with-fuzzing-digging-and-guessing\/","og_locale":"en_US","og_type":"article","og_title":"Accessing admin panel with fuzzing, digging and guessing - Bergee&#039;s Stories on Bug Hunting","og_description":"Hello folks This time I want to tell you the story how I gained access to some admin functionalities\u00a0 and leaked some sensitive info using FUFF, Burp, my eyes, and brain :). Fuzzing Let&#8217;s call the target &#8220;redacted.com&#8221;. I started fuzzing the target with FUFF and found an \/admin endpoint https:\/\/redacted.com\/app\/admin which displayed: &#8220;Sorry you&#8217;re...","og_url":"https:\/\/bergee.it\/blog\/accessing-admin-panel-with-fuzzing-digging-and-guessing\/","og_site_name":"Bergee&#039;s Stories on Bug Hunting","article_published_time":"2024-10-16T20:16:24+00:00","article_modified_time":"2024-10-16T21:24:51+00:00","og_image":[{"width":1845,"height":793,"url":"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2024\/10\/order_details_redacted-2.jpg","type":"image\/jpeg"}],"author":"bergee","twitter_card":"summary_large_image","twitter_creator":"@https:\/\/twitter.com\/bergee","twitter_site":"@bergee","twitter_misc":{"Written by":"bergee","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/bergee.it\/blog\/accessing-admin-panel-with-fuzzing-digging-and-guessing\/#article","isPartOf":{"@id":"https:\/\/bergee.it\/blog\/accessing-admin-panel-with-fuzzing-digging-and-guessing\/"},"author":{"name":"bergee","@id":"https:\/\/bergee.it\/blog\/#\/schema\/person\/a37382384cc58e596119b1eec4869d73"},"headline":"Accessing admin panel with fuzzing, digging and guessing","datePublished":"2024-10-16T20:16:24+00:00","dateModified":"2024-10-16T21:24:51+00:00","mainEntityOfPage":{"@id":"https:\/\/bergee.it\/blog\/accessing-admin-panel-with-fuzzing-digging-and-guessing\/"},"wordCount":587,"publisher":{"@id":"https:\/\/bergee.it\/blog\/#\/schema\/person\/a37382384cc58e596119b1eec4869d73"},"image":{"@id":"https:\/\/bergee.it\/blog\/accessing-admin-panel-with-fuzzing-digging-and-guessing\/#primaryimage"},"thumbnailUrl":"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2024\/10\/order_details_redacted-2.jpg","articleSection":["Bez kategorii","bug bounty","write-up"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/bergee.it\/blog\/accessing-admin-panel-with-fuzzing-digging-and-guessing\/","url":"https:\/\/bergee.it\/blog\/accessing-admin-panel-with-fuzzing-digging-and-guessing\/","name":"Accessing admin panel with fuzzing, digging and guessing - Bergee&#039;s Stories on Bug Hunting","isPartOf":{"@id":"https:\/\/bergee.it\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/bergee.it\/blog\/accessing-admin-panel-with-fuzzing-digging-and-guessing\/#primaryimage"},"image":{"@id":"https:\/\/bergee.it\/blog\/accessing-admin-panel-with-fuzzing-digging-and-guessing\/#primaryimage"},"thumbnailUrl":"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2024\/10\/order_details_redacted-2.jpg","datePublished":"2024-10-16T20:16:24+00:00","dateModified":"2024-10-16T21:24:51+00:00","breadcrumb":{"@id":"https:\/\/bergee.it\/blog\/accessing-admin-panel-with-fuzzing-digging-and-guessing\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/bergee.it\/blog\/accessing-admin-panel-with-fuzzing-digging-and-guessing\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/bergee.it\/blog\/accessing-admin-panel-with-fuzzing-digging-and-guessing\/#primaryimage","url":"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2024\/10\/order_details_redacted-2.jpg","contentUrl":"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2024\/10\/order_details_redacted-2.jpg","width":1845,"height":793},{"@type":"BreadcrumbList","@id":"https:\/\/bergee.it\/blog\/accessing-admin-panel-with-fuzzing-digging-and-guessing\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/bergee.it\/blog\/"},{"@type":"ListItem","position":2,"name":"Accessing admin panel with fuzzing, digging and guessing"}]},{"@type":"WebSite","@id":"https:\/\/bergee.it\/blog\/#website","url":"https:\/\/bergee.it\/blog\/","name":"Bergee&#039;s Stories on Bug Hunting","description":"hacking, cyber security and programming","publisher":{"@id":"https:\/\/bergee.it\/blog\/#\/schema\/person\/a37382384cc58e596119b1eec4869d73"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/bergee.it\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":["Person","Organization"],"@id":"https:\/\/bergee.it\/blog\/#\/schema\/person\/a37382384cc58e596119b1eec4869d73","name":"bergee","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/berdzi_drawing_150x150_x.png","url":"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/berdzi_drawing_150x150_x.png","contentUrl":"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/berdzi_drawing_150x150_x.png","width":129,"height":150,"caption":"bergee"},"logo":{"@id":"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/berdzi_drawing_150x150_x.png"},"sameAs":["http:\/\/localhost\/wordpress","https:\/\/www.linkedin.com\/in\/bartlomiej-bergier","https:\/\/x.com\/https:\/\/twitter.com\/bergee"],"url":"https:\/\/bergee.it\/blog\/author\/bergee\/"}]}},"_links":{"self":[{"href":"https:\/\/bergee.it\/blog\/wp-json\/wp\/v2\/posts\/439","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/bergee.it\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/bergee.it\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/bergee.it\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/bergee.it\/blog\/wp-json\/wp\/v2\/comments?post=439"}],"version-history":[{"count":14,"href":"https:\/\/bergee.it\/blog\/wp-json\/wp\/v2\/posts\/439\/revisions"}],"predecessor-version":[{"id":457,"href":"https:\/\/bergee.it\/blog\/wp-json\/wp\/v2\/posts\/439\/revisions\/457"}],"wp:attachment":[{"href":"https:\/\/bergee.it\/blog\/wp-json\/wp\/v2\/media?parent=439"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/bergee.it\/blog\/wp-json\/wp\/v2\/categories?post=439"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/bergee.it\/blog\/wp-json\/wp\/v2\/tags?post=439"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}