Sweet information disclosure leads to non-authorized authentication

Hello Hackers, today I will tell you how I was able to hack into the Phpmyadmin panel of a target and read all databases content

The story started when I wanted to thanks my teacher for all the knowledge he gave me during my 3 years of studies in the university of computer science, so I decided to offer a free pentest service to the University(Web app testing)

So as always we have the main target ‘www.Target.com’, the first thing to do is to collect interesting information and subdomain enumeration!
I used ‘dnsdumpster.com’ for subdomains but unfortunately, I found nothing!
I moved to Sublist3r tool :
The result wasn’t that good, I got one subdomain ‘ftp.target.com’ and this is how it looks like

‘Ftp.target.com’

Before getting deeper on the subdomain I found, I decided to start a directory Bruteforce in the main website ‘Target.com’
The result was like this :

So after checking all of them, one was so interesting its the /logout/ folder!
Btw /web.confing nothing interesting inside ^^
So when we enter the ‘Target.com/logout/ we find this :

Its a login page and you know what kind of stuff we can try when it cams to this :3!
So first thing is to try random login and password!
And no no no no as expected, but something wrong happened !!!

I got this huge error page lol, it seems that there is no condition check when it came to wrong or null credentials, and it shows you from where the error came from and it also shows the line of the source code used inside the app LOOOL!

I had a feeling that by analyzing these error codes I may find something interesting and yes! after some munites I was able to find this :

This was so sweet to see, “I had just to scroll down to find this interesting info’’ And now its time to find how we can use this!
basically its database credentials but as we already saw there is no PHPMyAdmin folder when I check for directories …
In this case, I switched to the second subdomain and tried to see if there are any hidden folders!
The result was about one directory called /pma/ its seems like the abbreviation of PHPMYADMIN lets check it :D

And yes it is !!

So now I had just to use the user and pass I already found to log-in!
For the first time, it didn't work, but no error generated! I understood that the credentials are correct but since I'm not in the same country as the target is, I needed to change my Ip address in order to be able to log-in,
I used My phone with a VPN also to make sure that the problem is not from my computer browser, you know chrome stuff…

And voila!

Thanks for reading hope you share it if you like it ❤

The best puzzles are not meant to be solved{fahdabida.com}