FirstBlood-#837Change user passwords at will to enable account takeover
This issue was discovered on FirstBlood v2



On 2021-10-29, axe Level 4 reported:

Summary

  1. Discovery process: register user Axe -> after successful login, visit the HTML code of /drpanel/index.php endpoint -> discover sensitive information

  2. Test sensitive endpoint xxx.php -> /drpanel/xxx.php -> /drpanel/drapi/xxx.php

Steps

  1. registered user Jam

  2. Login successfully, visit the HTML code of /drpanel/index.php endpoint

    1. Sensitive information found.

  3. Why do you think this is sensitive information? It's because of the /* */ js comment character and noting that the function editpassword(username)

    1. Since there is no place to call this method as well as pass the username parameter, priority is given to trying files with this name.

    2. As well as the general case of writing code in the background, developers generally send the request path to the back end for the front end to process the function name is the same. So it was thought to access the /drpanel/drapi/editpassword.php file with the username parameter.

    3. The reason why the path is /drpanel/drapi/ is because the code already tells this path!!!

  4. Visit /drpanel/drapi/editpassword.php and add username=jam.

    1. Found that jam's password has been updated

    2. Log out of the login and use the new password to log in to your account. jam: YPJVEatUHf9wRXb

    3. Login successful!

  5. Then we can try to update the password of the administrator drAdmin

    1. Update administrator password -> Update successfully

    2. Login to admin account -> drAdmin: tF2qCgs9XWOaUyY -> Login successful

Impact

  1. change user passwords at will to enable account takeover !!!

P1 CRITICAL

Endpoint: /drpanel/drapi/editpassword.php

Parameter: username

Payload: NA


FirstBlood ID: 27
Vulnerability Type: Application/Business Logic

It is possible to edit the admins password (dradmin) from /drapi/editpassword as it's only looking for the username. Usernames can be enumerated when logging in as trying 'drAdmin' results in a different error. The username can also be found from FirstBlood v1.