FirstBlood-#603SQL Injection on /vaccination-manager/login.php through password parameter
This issue was discovered on FirstBlood v2 (issues patched)



On 2021-10-26, holybugx Level 5 reported:

Description

Hello Sean,

SQL Injection is possible on the Vaccination Management Panel using the password parameter. Using this SQL Injection I was able to completely extract the database and gain access to the admin's credentials.

Steps To Reproduce

  1. Open Vaccination Management Panel and use admin as the username. Intercept the request to "Secure Login":

  1. Use admin' or sleep(10) and 1=1# as the value of the password parameter and inspect the response time:

As observed, the SQL Injection vulnerability is valid. It's possible to further exploit this to extract the complete database.

Exploitation

One of the best tools to automate the exploitation of SQL Injection is SQLMap.

  1. Copy the POST request to /vaccination-manager/login.php and save it inside a file (req.txt).

  2. Use the following command to run the SQLMap and extract all database details:

 sqlmap.py -r req.txt -p password --batch --random-agent -a

It is also possible to get an interactive SQL shell using the --sql-shell flag of the SQLMap:

After analyzing the output, I found the admin credentials used to login to the Vaccination Management portal:

Impact

  • SQL Injection leading to complete extraction of the database as well as interactive SQL shell

Remediation

  • The only sure way to prevent SQL Injection attacks is input validation and parameterized queries including prepared statements. The application code should never use the input directly. The developer must sanitize all input, not only web form inputs such as login forms. In your case the login form was vulnerable. but to be sure, it's better to implement proper input validation on all user inputs.

  • You must remove potential malicious code elements such as single quotes. It is also a good idea to turn off the visibility of database errors on your production sites. Database errors can be used with SQL Injection to gain information about your database. There were no database errors in your case, but it's always good to keep that in mind.

  • Some functions like mysqli_real_escape_string() in PHP can also protect against them. But careful to read the documentation when using those kinds of functions. For example, in PHP addslashes() may seem to be a good alternative but cheap when it comes to SQL injection protection due to malicious charset tricks.

Kind Regards,

HolyBugx

P1 CRITICAL

Parameter:

Payload:


FirstBlood ID: 30
Vulnerability Type: SQL Injection

There is an SQL injection on the vaccination management portal login page which results in the user being able to login as the administrator.

Report Feedback

@zseano

Creator & Administrator


Great report, clear reproduction steps and screenshots outlining the issue. Nice work HolyBugx!