FirstBlood-#585Admin account takeover
This issue was discovered on FirstBlood v2.0.0 (issues patched)



On 2021-10-26, newrouge Level 3 reported:

Hey, i found that it is possible to takeover admin account, by beta feature called editpassword. it was possiblt to change Admin account password.

Description

Reading source code after loggin in as normal doctor we can notice that

 /* to do
 function editpassword(username) {
 var xhr = new XMLHttpRequest();
 xhr.open("POST", '', true);
  • we know admin username by error from application when we try to signup with drAdmin username.

  • Remembering old endpoints like drapi/query.php and after few trial and error it worked.
  • According to snippet code , it accepts POST req. and username parameter.

Steps:

  1. Visit URL https://1b42ba552850-newrouge.a.firstbloodhackers.com/drpanel/drapi/editpassword.php and capture it.
  2. Send a POST request with parameter username=drAdmin

  1. Now login with new password into admin account.

Thank you

newrouge

P1 CRITICAL

Endpoint: /drpanel/drapi/editpassword.php

Parameter: username=

Payload: drAdmin


FirstBlood ID: 27
Vulnerability Type: Application/Business Logic

It is possible to edit the admins password (dradmin) from /drapi/editpassword as it's only looking for the username. Usernames can be enumerated when logging in as trying 'drAdmin' results in a different error. The username can also be found from FirstBlood v1.