Apr 1, 2018

My Best Small Report Bounty Report in Private Program ( Django REST framework Admin Login ByPass )

Advertisement


Django REST framework Admin Login ByPass

Hello Every one Welcome to my Small Blog 

Today I will Talking about special very small bug most of US neglect it When we See Admin Login Panel Powerful Like " Django REST framework "

Most of Us not Use 
SQL Injection Authentication Bypass 
Cause we think it hard to find this Bug in big framework
 then We GO directly to use Guess method attach by using intruder ( BurpSuite ) 

Example of using BurpSuite : https://hackerone.com/reports/128114

Here in this report I will explain 
How I found this Small bug 
and What was the Reward ? 

Must of Us know the Shape login Panel of Django 

Username: 

Password :

I've tried username : Admin Then Password : Admin too 
But no thing Happen as Usually 


Then I got an Idea to try this noob 
SQL Injection Authentication Bypass
 in a big framework like django is a Bad idea :O 

The username was Admin 
and 
the Password PayLoad was admin' or '1'='1 

What happen ? 
No thing too

After 2 min I've Found me Login as Admin  ?! 
I think The System was Drunk Something !


Sure I've create another admin Account By My Name :)

What found ? 
About 800+ Empolyes Accounts

about 800+ Users Accounts

Orders 10000+






Reward : 2000$

Share This
Previous Post
Next Post

Security Researcher at Many Websites - Bug Hunter - Civil Engineer Student

3 comments: