FirstBlood-#742 — [COLLAB] Enumerate users via vaccination manager login
This issue was discovered on FirstBlood v2.0.0 (issues patched)
On 2021-10-27, amec0e Level 3 reported:
I found from the previous report Deserialization to RCE and using
'ls *'as the payload we can get a directory listing which shows us theres a login/logout and portal endpoint in the
/vaccination-manager/directory. On this login page it is possible to enumerate valid usernames via different error messages. Also viewing the endpoint
/vaccination-manager/portal.phpin the response you can see it Sets a cookie to be deleted called
vaccination_managerI haven't found a use for this just yet though!
UPDATE: While this is initially reported as being able to enumerate valid users (which we can do) we can also now bypass the login using a SQL Injection
Impact was initilly low because we are able to successfully enumerate valid usernames.
However we can bypass the login panel using SQL Injection which allows us to view all uploaded vaccination proof's along with emails and IP's
Steps to reproduce:
- Visit the endpoint
/vaccination-manager/login.phpand Enter incorrect credentials like test:test
You will see "User does not exist"
However if we enter a valid username we get "Invalid username or password"
And so we can successfully confirm there is an admin account.
I was able to bypass the login using the username
adminand the password as a SQL statement
' OR 1=1#
Request & Response:
In Collaboration with thebinarybot
FirstBlood ID: 30
Vulnerability Type: SQL Injection
There is an SQL injection on the vaccination management portal login page which results in the user being able to login as the administrator.