Hints

Secret Administrative Pages

Overview

Secret Administrative Pages are surprisingly common. Developers assume that it is not possible to determine the URL so the pages are secure.

Discovery Methodology

Try brute forcing the page names in the page parameter with Burp-Intruder in sniper mode. Include some of the following page names in the brute force list: secret.php, admin.php, _adm.php, _admin.php, root.php, administrator.php, auth.php, hidden.php, console.php, conf.php, _private.php, private.php, access.php, control.php, control-panel.php, phpMyAdmin.php

Exploitation

Same as discovery.

Example

The phpinfo function dumps PHP server configuration information to a nice table. The phpMyAdmin.php hosts a secret phpMyAdmin console.

Videos

Gaining Administrative Shell Access via Command Injection: Load the video