Till Studer's Notes

Recent Notes

2 min read

Exploiting Admin Consoles

  • Locate the administration console
  • Just login
    • Using default credentials
    • Use gathered information to guess passwords
    • Brute Force
  • How to:
    • Setup the Target (Windows): Launch XAMPP and its MySQL and Apache modules.
    • dirb https/10.11.0.22 -r
    • https/10.11.0.22/phpmyadmin/
    • Default credentials are root for the username and a blank password
    • But this default can be overwritten with the AllowNoPassword parameter in the C:\xampp\phpMyAdmin\config.inc.php

Burp Suite Intruder

  • Try some password and check the HTTP history in burp
  • There are unfortunately session keys and/or tokens used which makes it a bit more difficult to automate, but usually these values can be retrieved from the last response (hidden)
  • Right-click a sample and select “Send to Intruder”
    • Target: Usually the present from the sample request is fine
    • Positions: Specify the which are populated by burp
      • Select the value(s) and click the Add button
      • Set Attack type to Pitchfork
    • Options
      • Under Grep -Extract
        • Select Add and in the new windows select the value which should be extracted
        • Repeat
    • Payloads
      • Payload set = the sequential position in the HTTP request
      • Payload type ==
        • Recursive grep for all the grepped values
          • Always add a initial payload
          • Depending on the payload position we might want to NOT URL-encode them (e.g.: Tokens)
        • Simple list for the passwords
      • Review the payloads and select Start attack
      • Usually a 302 Response = Success

Relevant Note(s):

Graph View

Backlinks