FirstBlood-#723 — [COLLAB isitbug] SQL Injection on Vaccination Management login page leading to unauthorized access to the panel
This issue was discovered on FirstBlood v2
On 2021-10-27, shreky Level 5 reported:
Upon doing some recon,or in our case running
ls *via the RCE,the endpoint
/vaccination-manager/login.phpalong with others is discovered.Having a look at it,I see there's username enumeration on it,entering an inexisting username returns User does not exist while entering admin with an incorrect password returns Invalid username or password.
Soon after,we try for SQL injection in the password field,injecting a
'returns the following error:
SQLSTATE: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''''' at line 1
That tells us there's a high change it's vulnerable to SQLi,so by doing
' OR 1=1#we get easy access to the Vaccination Management panel.There's no sanitization being done probably because Patrice thought no one would discover this endpoint,as always,he was wrong.
Unrestricted access to the VM (vax management) dashboard which leads to PII leakage of user's who submitted their vaccination proof,such as email,IP,proof image.
POST Request with very complex SQLi payload in password field -->
After that we get straight in (blurring out my ip xd) -->
' OR 1=1#
FirstBlood ID: 30
Vulnerability Type: SQL Injection
There is an SQL injection on the vaccination management portal login page which results in the user being able to login as the administrator.