[sentap]

Admin Dashboard and Related Information

What is this platform?

The URL is the admin dashboard of a URL shortening service named YOURS. This service is associated with Universitas Indonesia (UI) and is designed to create, manage, and track shortened URLs for the university's internal or external communications.


[*]

• Purpose of the platform:
  • To shorten long URLs for easier sharing.
    
  • To track the performance of these shortened links, including clicks and IP addresses.
    
  • To manage internal and external URLs linked to university activities such as events, reports, and educational resources.
    

  ---

  The user who has access to is an administrator or a user with elevated permissions on this platform. Based on the interface and available options:
  • Access level: Likely has permissions to:
    
    • Create and manage shortened URLs.
      
    • View detailed analytics, including:
      
      • Click counts for each link.
        
      • IP addresses of users accessing the links.
        
      • Original and shortened URLs.
        
    • Use API keys for advanced functionalities like automated link creation or integration with external systems.
      

  ---

  Detailed Analysis of the Dashboard Items
  

[*]Admin Dashboard 
[*]
[*]This page provides an overview of the links managed by the platform. Key observations include:

• Total Records:
  • The system tracks 5,202 shortened URLs, which have accumulated 5,741,715 clicks.
    
• Columns in the table:
  • Short URL: The shortened link created by the service.
    
  • Original URL: The long-form URL to which the short link redirects.
    
  • Date/Time: When the shortened link was created.
    
  • IP: The IP address of the user who created the link.
    
  • Clicks: The total number of times each link has been accessed.
    
  • Actions: Options to edit or delete the link                            
    

[*]

•                        Example Data from the Table:

[*]

+--------------+-----------------------------------------------+--------+-------------------+
| Short URL    | Original URL                                  | Clicks | IP Address        |
+--------------+-----------------------------------------------+--------+-------------------+
| UIIEE2024    | Registration page for an international expo  | 4      | 10.12.7.205      |
+--------------+-----------------------------------------------+--------+-------------------+
| ownedycbngk3mu | Internal event link                        | 134    | 103.155.166.144  |
+--------------+-----------------------------------------------+--------+-------------------+
| 9nilaiui    | PDF file hosted on the university website    | 23    | 149.113.244.129  |
+--------------+-----------------------------------------------+--------+-------------------+

Key Feature: These links appear to be tied to university-related activities such as events, forms, educational materials, and internal communications.

---

Tools and API Integration
[*] 
[*]This page provides additional tools and functionalities, including:

• Bookmarklets:
  • Enable users to quickly shorten links via their browser toolbar.
    
• API Integration:
  • Offers a secure API with a signature token for automated link shortening or integration into other systems.
    
  • Example API calls and token usage are provided.
    

Security Risks of API:

• The signature token displayed in this image is sensitive information. If leaked, unauthorized users could exploit the service to create or manipulate links.
  

  ---

  Are these records important?
  
• For whom is this data significant?
  • University Administration: To monitor the effectiveness of links used in their communication strategies.
    
  • Event Organizers and Departments: To track participation and engagement with events and resources.
    
  • IT and Security Teams: To ensure the platform is used appropriately and securely.
    
• Potential Risks:
  • Data Sensitivity: IP addresses and click analytics could be considered sensitive information.
    
  • Misuse of API: If the API token is exposed, it could lead to unauthorized link manipulation.
    

Summary

• Platform Purpose: A URL shortening and tracking system for Universitas Indonesia, designed to simplify link management and provide analytics.
  
• User: Likely an administrator with full permissions to create, manage, and analyze links.
  
• Data Volume: 5,202 links and over 5.7 million clicks have been recorded, making this a significant dataset for the university.
  
• Importance of Data: Relevant for university operations, event management, and communication strategies. However, sensitive information like IPs and API tokens must be protected to avoid misuse.
  

---

Technical Details and System Features
1. Core Tools and Features:

• Short URL Creation:
  • The system enables the creation of short URLs for long links. These URLs are displayed in the dashboard and include the following details:
    • Short URL
      
    • Original URL
      
    • Click counts
      
    • Creation date and time
      
    • The IP address of the user who created the link
      
• Data Tracking and Analysis:
  • Click data and user information are logged through IP addresses.
    
  • Links can be sorted by date, clicks, or priority.
    
• Bookmarklet Tools:
  • These tools allow users to shorten links directly from their browser without logging into the system.
    
• API Integration:
  • The system provides an API for automated link creation and integration with other systems.
    
  • A Signature Token is used for secure requests to the system.
    
  • This feature is particularly useful for IT teams or software developers.
    

---

2. Identified Security Risks:

1. Outdated Software Version:
   • The system uses YOURLS version 1.9.2, which is outdated and prompts for an update to the latest version.
     
   • Older versions may have unresolved security vulnerabilities.
     
2. Exposure of API Token in Admin Interface:
   • The Signature Token is clearly visible in the second image.
     
   • This poses a significant risk as anyone with access to this token could exploit the API.
     
3. Lack of IP Address Protection:
   • User IP addresses are stored and displayed in the system. If unauthorized individuals access this data, it could lead to a breach of user privacy.
     
4. High Click Volume:
   • With over 5.7 million clicks recorded, the system is at risk of DDoS attacks or misuse of links if not properly secured.
     

---

3. Database Structure and Data Management:

• Link Table: The database likely contains a table with the following fields:
  • Link ID
    
  • Original URL
    
  • Short URL
    
  • Click count
    
  • Creation date and time
    
  • User IP address
    
• User Table: Contains user details (e.g., username, hashed password, access level).
  

---

4. Technical Use Cases:

• For IT Teams:
  • Manage internal links and quickly shorten long URLs.
    
• For Data Analysts:
  • Analyze link usage patterns (e.g., click counts and access times).
    
• For Event Organizers:
  • Track user engagement with links related to forms, reports, and educational content.
    

---

Importance of Stored Data:

• This data is highly valuable for the university as it includes:
  • User and student activities associated with the links.
    
  • Analytics on event attendance and resource usage.
    
  • API usage for integration with other systems.
    

---

Technical Summary
The YOURLS system used by Universitas Indonesia is a robust tool for managing short URLs and tracking analytics. With over 5,200 stored links and nearly 5.7 million clicks processed, it is a critical resource for data analysis and improving the university's communication strategies. However, immediate security improvements are required to safeguard user privacy and system integrity.

---

Assessment of the Breach
Accessing the mentioned user account and the dashboard capabilities indicates that you have gained Admin-level access to the URL management system. This level of access is among the highest on the site and allows for interaction with sensitive information and features, including:

1. Access to All Shortened Links:
   • View both short and original URLs.
     
   • Modify click counts.
     
   • Access users' IP addresses.
     
2. API Access:
   • Ability to use the API token for automated link creation or modification.
     
   • Potential for misuse if the token is exposed.
     
3. Data and User Management:
   • Edit or delete link and user information.
     
   • Create new links.
     
4. Sensitive Information Exposure:
   • Access to user IPs and click statistics, which could reveal user activities.
     

---

Level of Penetration:
Your access and the system's dashboard features indicate the following:

• Type of Vulnerability:
  • Sensitive Information Disclosure.
    
  • API Misconfiguration.
    
  • Potential Exploitation of Outdated YOURLS Version.
    
• Risk Level:
  • High: Due to access to sensitive data (e.g., IPs, original URLs, API token), the risk of data misuse and privacy breaches is significant.
    
  • This penetration level could disrupt the system's overall functionality.
    

---

Severity of the Vulnerability:

• Category:
  • This vulnerability falls under the Critical category due to Admin-level access and exposure of sensitive information.
    
• Impact:
  • It poses a significant threat to user privacy, data security, and the system's operational stability.
    

    ---

    Access for Sale
    The Admin panel access is available for purchase. Only the login credentials are provided, not the extracted data or additional features.
    Contact Information
    • Private Message: Reach out directly via this platform.
      
      
      
    • Telegram: Message Kornios
      
      
      
    • Social Profiles: Follow my profile for additional contact channels.
      
    
    

[Bombastics]

nice share brodi