Admin Login Bypass in a Coaching system
Hello readers I am Aditya , Recently hunting around in a coaching site I found a critical bug at https://sandeepsappal.in/AdminLogin/admin/admin endpoint which lets you to access admin panel with a minor change in response code the bug is already fixed now by respective developer team.
It is a report that I’ve already reported to a Teaching platform which gives training of web development and related technologies . In this site I found an Admin panel against which I started playing around My main goal is to bypass the login of admin panel .
So for this I used my own developed methodology in which my try-failure are : At first I used the basic default login credentials [admin admin , admin password , root toor …….. etc there is a full list for this I automate this task] but with this I got nothing so moving around I tried to bypass the login with some NoSQL queries as SQL queries are not showing any errors I thought the back-end database is MongoDB or Orient Db but with this also there was no luck.
Finally I open my request response interceptor Burpsuite pro and tried to investigate the request and response . The bug is so funny and simple the response is like given below when I give wrong credentials :
See at the end there is {“ RESULT ” : false } I changed it to true
Guess what happened I logged in to admin panel so now I can add new user , new student , new courses also can give assignments to their students , also can remove students . Some of their students are my friends I simply took their password for future I know this is unethical but 😁😁😁.
I didn’t dump their any data and responsibly reported the bug. I also attached below a POC video for learning purpose only.
Thanks for reading this and if you like this give me a clap 👏👏 .