Nibble
Overview #
- No longer maintained
- Successor is Bludit blog
Default Credentials #
admin:<none>
Interesting URL Paths #
# contains version
/README
/admin/boot/rules/98-constants.bit
# contains users
/content/private/users.xml
# others
/admin.php
/admin/
/content/
/content/private/plugins/my_image/db.xml
/content/private/config.xml
IP Blacklisting #
Nibbleblog blacklists an IP address for five minutes after five unsuccessful login attempts. We can confirm this configuration by checking the source code .
This can be bypassed by randomizing the X-Forwarded-For
header. See bruteforce tool below.
Exploits #
- Arbritraty File Upload Exploit (v4.0.3) - make sure to generate payload via msfvenom first