From 70beb193c4cf71f58d6773c9a4cda5f37c981b46 Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Sun, 14 Jun 2026 19:32:21 +0000 Subject: [PATCH] Add content from: I Accidentally Logged in as Admin to a Threat Actor Website --- .../web-vulnerabilities-methodology.md | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/src/pentesting-web/web-vulnerabilities-methodology.md b/src/pentesting-web/web-vulnerabilities-methodology.md index 3bdd35bb45d..36f4067c0e8 100644 --- a/src/pentesting-web/web-vulnerabilities-methodology.md +++ b/src/pentesting-web/web-vulnerabilities-methodology.md @@ -88,6 +88,24 @@ WebSocket upgrades automatically forward cookies and do not block `ws://127.0.0. If you can pass arbitrary JVM flags (such as `AdditionalJavaArguments`), force an error with `-XX:MaxMetaspaceSize=` and attach `-XX:OnOutOfMemoryError=""` to run OS commands without touching application logic. See [WebSocket attacks](websocket-attacks.md#localhost-websocket-abuse--browser-port-discovery) for a walk-through. +### Installers / setup wizards / recovery leftovers + +First-run installers and recovery endpoints are often forgotten in production. If a live application still exposes paths such as `/install/`, `/setup/`, `/init/`, `/admin/install`, `/setup/setupadministrator.action`, or readable config files such as `/config/database.php`, treat them as **high-value takeover primitives** instead of low-value information leaks. + +Checks to perform: + +- Fuzz for installer and reconfiguration paths with `ffuf`, `dirsearch`, or wordlists containing `install`, `setup`, `wizard`, `init`, `upgrade`, `db`, `config`, and `admin`. +- Open the wizard and determine whether it still accepts **database / SMTP / admin** parameters after deployment, or whether a server-side `setupComplete` / lock file can be flipped or bypassed. +- If the installer accepts arbitrary DB settings, test whether the application will connect to an **attacker-controlled external DB** and bootstrap its schema there. This can yield **admin creation**, backend **state disclosure**, or application **DoS** if the remote DB later disappears. +- After any successful reinitialization, revisit old authenticated tabs and test whether **pre-existing sessions remain valid** even after the backend DB/configuration is restored. PHP apps often keep session state outside MySQL, so restoring the DB may not revoke attacker sessions. +- Review incident-response paths: password reset, admin creation, DB restore, installer rerun, maintenance exit. If none of them rotate session IDs or invalidate server-side session stores, keep testing for persistent dashboard access. + +Operational notes: + +- Outbound connectivity matters: if the web tier can reach arbitrary MySQL hosts, SSRF-style egress restrictions are missing and installer abuse becomes much easier. +- Sudden `500` errors immediately after setup changes can indicate the application is still pointing to attacker-supplied infrastructure. +- Framework/app-specific examples exist (for example Confluence setup reactivation admin creation), but the reusable technique is **production reinstallation / reinitialization abuse**. + ### **HTTP Headers** Depending on the HTTP headers given by the web server some vulnerabilities might be present. @@ -224,6 +242,7 @@ Modern applications extend into browsers, wallets, and automation pipelines—ke ## References - [When WebSockets Lead to RCE in CurseForge](https://elliott.diy/blog/curseforge/) +- [I Accidentally Logged as Admin Into a Threat Actor Website](https://potato.id/en/posts/i-accidentally-logged-into-threat-actor-website) {{#include ../banners/hacktricks-training.md}}