Accessing https://asdfasdf.redacted.com revealed a login form with a userid and name field. A user was required to provide these values in order to authenticate themselves to the web application. There was no registration form to provision credentials so I would have to focus on testing for unauthenticated bugs or try and find other endpoints on the subdomain. I decided to perform content discovery which would hopefully reveal some interesting directories and files. For this purpose, I utilized ffuf and wordlists taken from the SecLists Github repo. It didn’t take long for the tool to return some interesting results ;
Output from running ffuf against https://asdfasf.redacted.comI was skeptical at first as to whether I could actually access the subsequent directories given the 301 HTTP response code and the fact that access to such folders was often properly restricted on targets that I’d encountered over my bug hunting journey. To my surprise, visiting each endpoint that I had discovered through directory brute-force allowed me to directly access all the available content underneath those directories. The following ones were of particular interest since they contained everything from uploaded files, backup files, and web application source files.
/upload/UploadFile/Application/Bak/init/offline
Support the originator by clicking the read the rest link below.
