Home
Bug Bounty
Cyber Security

An Unique Admin Panel Bypass - Bug bounty writeup

An OTP bypass bug lead to admin panel access, that has thousands of customer records, support tickets

 

Admin panel

Today, in this post i will be sharing my write-up on Admin panel bypass that I have found while doing my regular bug bounty 

This write-up is very unique, because it does not need authentication at first place and it does not require any sort of response manipulation, no brute force, and no old school stuff.

While testing a target, I came across a subdomain that was an admin panel, upon inspection I thought it was hard to get into and better to leave, as it requires a valid username and then a valid phone number linked to that, after that it sends an OTP to that mobile number, then it will grant access to the Admin Panel.

Let's Break the Application's Logic

When you visit the subdomain (Admin panel), it asks you to enter the Username. If the Username is Valid then it will ask you to enter the valid Phone number connected to the username. If the phone number is found, then it will send an OTP, after OTP verification is successful it  grant access to the Admin panel

The most difficult part is guessing the username and a valid phone number. If you send multiple requests, then WAF will block you, and it is challenging to brute force.

The application is running on PHP., I thought I could give it a try for  SQL injection, but it failed.

Its Time to exploit

Upon observing the HTTP requests and Responses from Burp's Proxy History, after entering a valid Username admin, it redirected to the phone.php page  there we have to enter a valid phone number and OTP

step 1



Now, in the phone.php page we have to enter a valid phone no and a valid OTP, to my surprise, the phone number was hardcoded in the response itself. In the source code of the page in JavaScript, I used the phone number and sent an OTP to that number




After analysing the source code (view-source), I have noticed that it was only validating the OTP on the client side. If the OTP is valid, then it redirects the User to set a password, for me  I cannot access the OTP, since it was sent to the admin.

Out of curiosity, I have opened the page setpass.php

Now it asked for a new password and a confirmation password. I set a random password and submitted. The application successfully processed the request 


Now I came back to the login page, and entered the username and the newly set password. Boom, it redirected me to the dashboard. For some reasons I cannot show you the internal admin panel screenshots


Hope you guys learnt something new



Hi, I'm Basudev
A Professional Blogger & Hacker Interested in Infosec, Web Development, Programming

Post a Comment

Comments will be reviewed before publishing