FirstBlood-#773 — SQL Injection Vulnerability in Vaccine Management Portal Allow Authentication Bypass
This issue was discovered on FirstBlood v2
On 2021-10-28, netmous3 Level 4 reported:
I was able to identify SQLi vulnerability in Vaccine Management portal which allow any unauthenticated person to gain the access.
First I have noticed that vaccination-manager endpoint has it's own login page. While I try to uncover the login information I noticed that it make two different error messages.
One error message was generated when I entered a none existence user.
And Other error generate for valid user , but with incorrect password.
This allowed me to guess the
adminis a valid user for this portal. Then I tried to identify the possible password for this user. This effort let me to notice a SQL error when entered a single quotation in the password field.
This led to believe that this endpoint is vulnerable to SQLI.
I used simple SQLi login bypass with
' OR 1=1 --[space]and it was success.
Unauthenticated persons allowed to access the patients healthcare reports. In this case, attacker allowed to view patients vaccine proof documents along with his email id and IP address that he used to upload the data.
Remediation: (As in OWASP)
Option 1: Use of Prepared Statements (with Parameterized Queries) Option 2: Use of Stored Procedures Option 3: Allow-list Input Validation Option 4: Escaping All User Supplied Input
Also: Enforcing Least Privilege Also: Performing Allow-list Input Validation as a Secondary Defense
' OR 1=1 --
FirstBlood ID: 30
Vulnerability Type: SQL Injection
There is an SQL injection on the vaccination management portal login page which results in the user being able to login as the administrator.