FirstBlood-#169 — Found a way to register as non-admin user
This issue was discovered on FirstBlood v1
On 2021-05-11, iffu Level 5 reported:
Summary
Hi zseano..
This is by far the most frustrating bug I've ever found. This register bug took a lot of time for me.
Things I tried
-
Bruteforced the invite codes for 4 digits, 6 digits as in most cases invite codes are of 4 or 6 digits. I used intruder with a very less number of threads so as to not make the server run down.
-
Tried every possible invite code generation functions from stackoverflow, and what not.
-
Analysed the whole target for any .js file or .php file for the invite_code generation function or any other function related to invite_code.
-
After a lot of things tried, one of my friends suggested me to hack it like a real target. I started with google dorking and found the invite code.
Steps to reproduce
- The invite code is publicly available on the internet on www.reddit.com
- The google dork used : site: firstbloodhackers.com invite
Thanks zseano for this wonderful application and please let me know if you need anymore info regarding this.
P2 High
Endpoint: /register.php
Parameter: ***
Payload: ***
FirstBlood ID: 15
Vulnerability Type: Auth issues
A doctors invite code is leaked on the internet which if used grants anyone access to the doctor portal. The invite code should expire after use.