FirstBlood-#725 — Vaccine Login is vulnerable to SQLi
This issue was discovered on FirstBlood v2.0.0 (issues patched)
On 2021-10-27, buraaq Level 2 reported:
POST-based SQLi on
As spraying common username, I observed that username other that admin give
User does not existbut for admin it says
Invalid username or password. This confirms that
username : adminexists.
Further spraying default password and sqli characters, I got an DB error when we insert
Steps to reproduce
- Goto the endpoint
/vaccination-manager/login.php, intercept in burp
- Send the request to repeater.
- Now in body input admin as username and payload as password
- Send the request, now you see the 302 status code with
- Using cookie login as admin into vaccine portal.
Using SQLmap we can dump complete database. I have dumped the username and password of vaccine manager - using this command :)
sqlmap -u "https://fab105cd1ac9-buraaq.a.firstbloodhackers.com/vaccination-manager/login.php" --data "username=admin&password=*" --dump -D firstblood -T vaccination_managers -C id,username,password
An attacker can use SQL injection to bypass a web application's authentication and authorization mechanisms and retrieve the contents of an entire database. SQLi can also be used to add, modify and delete records in a database, affecting data integrity.
' or 1'='1
FirstBlood ID: 30
Vulnerability Type: SQL Injection
There is an SQL injection on the vaccination management portal login page which results in the user being able to login as the administrator.