FirstBlood-#445 — [COLLAB with isitbug] Invite code is literally "test"
This issue was discovered on FirstBlood v2
On 2021-10-25, shreky Level 4 reported:
Summary
Nice play,didn't think at first that the invite code would literally be test
,even though I did notice the bolding of testing in the policy.
Steps to reproduce
- Go to /register.php and for the invite code put
test
along with any username you want
- Boom you're in
Impact
Very easily guessable invite code leads to unauthorized users creating doctor accounts.
After gaining a reverse shell on the machine using the RCE and accessing the MySQL database(using password found in /app/firstblood/include/config.php) I found the test invite code belongs to TestDoctor.
id username password session invite_code
2 TestDoctor test test
PoC after inserting the test invite code -->
P3 Medium
Endpoint: /register.php
Parameter: inviteCode
Payload: test
FirstBlood ID: 24
Vulnerability Type: Auth issues
The old invite code was deleted but when testing FirstBlood v2 the developers accidentally left the test code working.