FirstBlood-#592 — Register a doctor
This issue was discovered on FirstBlood v2
On 2021-10-26, twsec Level 2 reported:
while to login we are faced with a login or register doctor, since we have no credentials we need to register
- it's always important to read the scope because there's a hidden message there
note the bold test
so where might we use it, tried username ,but there's still the invite code so we try invite code "test" and it works.
but since it should be unique which means it should be used once, we can use the same code to register another doctor at the same time.
now we have access to the drpanel we could view the source of the page and notice the commented out code for editpassword function
and we can escalate our privileges to become an Admin Doctor.
P3 Medium
Endpoint: /register.php
Parameter: unique invite code
Payload: test
FirstBlood ID: 24
Vulnerability Type: Auth issues
The old invite code was deleted but when testing FirstBlood v2 the developers accidentally left the test code working.