FirstBlood-#445 — [COLLAB with isitbug] Invite code is literally "test"
This issue was discovered on FirstBlood v2
On 2021-10-25, shreky Level 5 reported:
Nice play,didn't think at first that the invite code would literally be
test,even though I did notice the bolding of testing in the policy.
Steps to reproduce
- Go to /register.php and for the invite code put
testalong with any username you want
- Boom you're in
Very easily guessable invite code leads to unauthorized users creating doctor accounts.
After gaining a reverse shell on the machine using the RCE and accessing the MySQL database(using password found in /app/firstblood/include/config.php) I found the test invite code belongs to TestDoctor.
id username password session invite_code 2 TestDoctor test test
PoC after inserting the test invite code -->
FirstBlood ID: 24
Vulnerability Type: Auth issues
The old invite code was deleted but when testing FirstBlood v2 the developers accidentally left the test code working.