Exploiting Admin Consoles

• Locate the administration console
• Just login
  • Using default credentials
  • Use gathered information to guess passwords
  • Brute Force
• How to:
  • Setup the Target (Windows): Launch XAMPP and its MySQL and Apache modules.
  • dirb https/10.11.0.22 -r
  • https/10.11.0.22/phpmyadmin/
  • Default credentials are root for the username and a blank password
  • But this default can be overwritten with the AllowNoPassword parameter in the C:\xampp\phpMyAdmin\config.inc.php

Burp Suite Intruder

• Try some password and check the HTTP history in burp
• There are unfortunately session keys and/or tokens used which makes it a bit more difficult to automate, but usually these values can be retrieved from the last response (hidden)
• Right-click a sample and select "Send to Intruder"
  • Target: Usually the present from the sample request is fine
  • Positions: Specify the which are populated by burp
    • Select the value(s) and click the Add button
    • Set Attack type to Pitchfork
  • Options
    • Under Grep -Extract
      • Select Add and in the new windows select the value which should be extracted
      • Repeat
  • Payloads
    • Payload set = the sequential position in the HTTP request
    • Payload type ==
      • Recursive grep for all the grepped values
        • Always add a initial payload
        • Depending on the payload position we might want to NOT URL-encode them (e.g.: Tokens)
      • Simple list for the passwords
    • Review the payloads and select Start attack
    • Usually a 302 Response = Success

Relevant Note(s):