Super Admin panel without Credentials 😎

As-Salaam-Alaikum.

I am back with another writeup I hope you Guys are hunting and earning bounty. This Time I was able to access Super Admin panel without Credentials 😎 . let’s start

Scenario

I was hunting vdp program let’s call it vdp.com. There is hug scope 82k subdomain after using httpx it come to 6k subdomain. I was just scrolling and checking each subdomain one by one after some time I just open this subdomain https://selectwifi.vdp.com. I have i one problem whenever i hunt on any program I always use burp in background To see how the url open and what change happen behind the seen I open that url and I see this login page.

Login page
login page

There is no signup page only login page is there . I just wait here and think what can I do here. I use waybackurls and gau nothing find . After that I use gospider tool they give me bunch of url some js file some css file i was just scrolling and found this url http://admin.selectwifi.vdp.com/dashboard-super.html i open that url and i see super Admin panel . But it redirect to me the login page after some time seeing burp suit and thinking why they redirect me to the login is there any validation on client side or on server side. After figuring it out . Tt validate on client side by js file which I found on gospider . I just simply disbale javascript in my browser And i am able to use full super Admin panel .there is lot more things like staff page announcement page that there I can make announcement for all staff members.

Raju.

Step to Reproduce

  1. First of all Disable javascript in your browser.
  2. Go to this url : https://admin.selectwifi.vdp.com/dashboard-super.html
  3. Enjoy full Super Admin Panel.

Takeaway

If u see login page and there is no signup options use gospider tool or waybackurls.

Bug Hunter Infosec Guy