FirstBlood-#169Found a way to register as non-admin user



On 2021-05-11, iffu reported:

Summary

Hi zseano..

This is by far the most frustrating bug I've ever found. This register bug took a lot of time for me.

Things I tried

  • Bruteforced the invite codes for 4 digits, 6 digits as in most cases invite codes are of 4 or 6 digits. I used intruder with a very less number of threads so as to not make the server run down.

  • Tried every possible invite code generation functions from stackoverflow, and what not.

  • Analysed the whole target for any .js file or .php file for the invite_code generation function or any other function related to invite_code.

  • After a lot of things tried, one of my friends suggested me to hack it like a real target. I started with google dorking and found the invite code.

Steps to reproduce

  • The invite code is publicly available on the internet on www.reddit.com
  • The google dork used : site: firstbloodhackers.com invite

Thanks zseano for this wonderful application and please let me know if you need anymore info regarding this.

P2 High

Endpoint: /register.php

Parameter: ***

Payload: ***


FirstBlood ID: 15
Vulnerability Type: Auth issues

A doctors invite code is leaked on the internet which if used grants anyone access to the doctor portal. The invite code should expire after use.


Respect Earnt: 1500000
RESPECT ($RSP) is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.