Back in 2018 when I was in high school, the site owner asked me to check the security of their website. They were curious because I had previously found a vulnerability on another site of theirs and reported it. With their permission, I started exploring the site.

My first move was to find the login page, as I had successfully performed SQL Injection on their previous website. Although I eventually found the admin panel login page, my attempts at SQL Injection failed this time. 😅 I tried other techniques, but still no luck. Feeling a bit frustrated, I eventually gave up, thinking, “Well, it looks like they’ve done a good job securing this site!”

But here’s the thing I discovered while searching for their admin login page. I was doing some Google Dorking and stumbled upon their blog subdomain, let’s call it blog.redacted.com. Just like before, I thought of giving SQL injection a shot on their login page. After locating the login page, I tried out this SQL payload:

' or 1=1 limit 1;# -- 

Guess what happened? I successfully logged into their admin panel and handled their blog posts. To cut the story short, I found a file upload vulnerability in the end. I exploited it to upload my favorite web shell(B374k 🤫), took control of their system, and successfully accessed their server and database. This includes both blog.redacted.com and the main domain that I previously failed to hack.

Oh, just so you know, this site was using CodeIgniter as their stack. That’s why, at that time, I could still do SQL injection. As we’re aware, SQL injection is still possible on some platforms.

After that, I was thrilled and reported my findings to them. Following my report, they patched their system and added a captcha for extra security.

That’s all. I’m trying to keep the story short because that’s not the main story I want to tell you.

Now, let’s discuss the main story. Recently, I’ve been eager to share the story I wrote earlier. However, I lacked proof to validate whether what I told you was true or not. Anyone can craft a cool story, but without proof, people might call it script kiddie. So, I revisited the website. As expected, there was no SQL injection to be found anymore. 😅 But here’s what I did to take control of the system twice.

I used Kali Linux on VirtualBox and downloaded an admin panel finder to speed up the search for the admin panel. Here are the results:

I checked every page that showed up from that tool, and the valid one was “adminpanel/”. Now, maybe you’ll think the same as me — now what? 😅 SQL Injection seemed impossible. Feeling a bit hopeless, I tried this powerful method. 😌

username : admin
password : admin 

IT WORKED! HAHAHAHA! It was a simple default credentials attack 😭. I was surprised and, at the same time, feeling a bit crazy because it was something so simple and easy. Maybe every time I go for hacking, luck is always by my side🤣.

we’re in and ready to upload our new web shell, just like in the past. After successfully uploading my web shell, I dug deeper into their server and found around 1,000 employee files, including ID cards, driver’s licenses, and personal pictures.

After making this new discovery, I reported it again to the owner.

What can we learn from this story?

1. it's not always about the main domain, but it is also about the subdomain 😉.
2. Understand their stack at least so we can understand what can we do next.
3. Try simple SQL injection on the login page if that system doesn’t use laravel, but if the system uses laravel find the register page HAHA.
4. Default credential attacks can be so dangerous sometimes🏃‍♂️.

Tools:

1. https://crt.sh/ -> easily find subdomain
2. https://github.com/alienwhatever/Admin-Scanner -> Website Admin Panel Finder
3. https://kali.org/ -> Hacking OS