FirstBlood-#725Vaccine Login is vulnerable to SQLi
This issue was discovered on FirstBlood v2.0.0 (issues patched)



On 2021-10-27, buraaq Level 2 reported:

Hello zseano,

Summary

POST-based SQLi on /vaccination-manager/login.php.

As spraying common username, I observed that username other that admin give User does not exist but for admin it says Invalid username or password. This confirms that username : admin exists.

Further spraying default password and sqli characters, I got an DB error when we insert ' (single quote).

Steps to reproduce
  1. Goto the endpoint /vaccination-manager/login.php, intercept in burp
  2. Send the request to repeater.
  3. Now in body input admin as username and payload as password username=admin&password='%20or%20'1'%3d'1
  4. Send the request, now you see the 302 status code with vaccination_manager cookie.
  5. Using cookie login as admin into vaccine portal.

Using SQLmap we can dump complete database. I have dumped the username and password of vaccine manager - using this command :)

sqlmap -u "https://fab105cd1ac9-buraaq.a.firstbloodhackers.com/vaccination-manager/login.php" --data "username=admin&password=*" --dump -D firstblood -T vaccination_managers -C id,username,password

POC

Impact

An attacker can use SQL injection to bypass a web application's authentication and authorization mechanisms and retrieve the contents of an entire database. SQLi can also be used to add, modify and delete records in a database, affecting data integrity.

Kind Regards,

buraaqsec

P1 CRITICAL

Endpoint: /vaccination-manager/login.php

Parameter: password

Payload: ' or 1'='1


FirstBlood ID: 30
Vulnerability Type: SQL Injection

There is an SQL injection on the vaccination management portal login page which results in the user being able to login as the administrator.