User ID Controlled By Request Parameter With Password Disclosure

The objective of this lab is to retrieve the administrator’s password and then use it to delete the user carlos The lab gives access to a shopping site as shown below.

Wiener’s account can be accessed with the credentials provided.

From the above image, it is clear that wiener’s password is masked. The password may, however, be found in its unmasked form in the source code.

You can see the password’s value as peter. You should be able to find the administrator’s actual password in this manner. Now, change the id parameter in the url from wiener to administrator to access the admin account.

Once in the administrator account, you can view the source code to find the administrator’s password.

You can see the value of the password is tgcrwax3ag2rebpop1ck. You can use this to log into the administrator’s account. Loggin in to the account gives access to the admin panel from where carlos’ account can be deleted.

Once you delete the account,you get;