Overview
Secret Administrative Pages are surprisingly common. Developers assume that it is not possible to determine the URL so the pages are secure.
Video Tutorials
Discovery Methodology
Try brute forcing the page names in the page parameter with Burp-Intruder in sniper mode. Include some of the following page names in the brute force list: secret.php, admin.php, _adm.php, _admin.php, root.php, administrator.php, auth.php, hidden.php, console.php, conf.php, _private.php, private.php, access.php, control.php, control-panel.php
Exploitation
Same as discovery.
Example
The phpinfo function dumps PHP server configuration information to a nice table.
Videos
Warning: Undefined property: YouTubeVideoHandler::$HowtoInstallOWASPZaponLinux in /var/www/mutillidae/includes/hints/secret-administrative-pages-hint.inc on line 29
Fatal error: Uncaught Exception: /var/www/mutillidae/classes/MySQLHandler.php on line 229: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '' at line 1 Query: SELECT identificationToken, title FROM youTubeVideos WHERE recordIndetifier = ; (1064) [mysqli_sql_exception] <br /> in /var/www/mutillidae/classes/MySQLHandler.php:237 Stack trace: #0 /var/www/mutillidae/classes/MySQLHandler.php(327): MySQLHandler->doExecuteQuery('SELECT identifi...') #1 /var/www/mutillidae/classes/SQLQueryHandler.php(309): MySQLHandler->executeQuery('SELECT identifi...') #2 /var/www/mutillidae/classes/YouTubeVideoHandler.php(23): SQLQueryHandler->getYouTubeVideo(NULL) #3 /var/www/mutillidae/classes/YouTubeVideoHandler.php(340): YouTubeVideos->getYouTubeVideo(NULL) #4 /var/www/mutillidae/includes/hints/secret-administrative-pages-hint.inc(29): YouTubeVideoHandler->getYouTubeVideo(NULL) #5 /var/www/mutillidae/hints-page-wrapper.php(75): include_once('/var/www/mutill...') #6 {main} thrown in /var/www/mutillidae/classes/MySQLHandler.php on line 237