FirstBlood-#886Drpanel admin username enumeration
This issue was discovered on FirstBlood v2



On 2021-10-30, 0x1452 Level 3 reported:

Hey!

Summary

I noticed that the endpoint POST /register.php returns a different response if username is set to an admin account's name.

Compare the following two responses:

Non-admin username

POST /register.php HTTP/1.1
Host: 46d069c58ee9-0x1452.a.firstbloodhackers.com
Content-Length: 50
Cache-Control: max-age=0
Sec-Ch-Ua: "Google Chrome";v="95", "Chromium";v="95", ";Not A Brand";v="99"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: https://46d069c58ee9-0x1452.a.firstbloodhackers.com
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://46d069c58ee9-0x1452.a.firstbloodhackers.com/register.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

action=register&username=admin&inviteCode=whatever

Admin username (drAdmin)

POST /register.php HTTP/1.1
Host: 46d069c58ee9-0x1452.a.firstbloodhackers.com
Content-Length: 52
Cache-Control: max-age=0
Sec-Ch-Ua: "Google Chrome";v="95", "Chromium";v="95", ";Not A Brand";v="99"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: https://46d069c58ee9-0x1452.a.firstbloodhackers.com
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://46d069c58ee9-0x1452.a.firstbloodhackers.com/register.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

action=register&username=drAdmin&inviteCode=whatever

Steps to reproduce

  1. Navigate to /register.php
  2. Try to register any username with any invite code
  3. Repeat until you find an admin -> e.g. drAdmin

Impact

While the impact is pretty low on its own, this could be used in combination with the account takeover reported in report #519. By bruteforcing a list of usernames on the register endpoint, an attacker can find valid admin accounts, then change their passwords.

P4 Low

Endpoint: /register.php

Parameter: username

Payload: any string


FirstBlood ID: 27
Vulnerability Type: Application/Business Logic

It is possible to edit the admins password (dradmin) from /drapi/editpassword as it's only looking for the username. Usernames can be enumerated when logging in as trying 'drAdmin' results in a different error. The username can also be found from FirstBlood v1.

Report Feedback

@zseano

Creator & Administrator


Hi there, we don't have a unique bug for enumerating usernames on FirstBlood and i'm going to assign ID 27 for this as the description mentions about enumerating :) Nice work though!