FirstBlood-#785SQL Injection on vaccination-manager login page to access portal
This issue was discovered on FirstBlood v2.0.0 (issues patched)



On 2021-10-28, xnl-h4ck3r Level 4 reported:

Summary

A SQL Injection vulnerability exists on the password field on endpoint /vaccination-manager/login.php . An attacker can find a valid user name based on the error message returned by the server, and then use a SQLi payload in the password field to login and access /vaccination-manager/portal.php

The page also gives specifc error messages that allow an attacker to find valid user names (which could allow them to also brute force for passwords), and SQL error message, helping an attacker craft a working payload.

Steps to reproduce

  1. You can see that entering a user of test, password of test and pressing SECURE LOGIN returns the message User does not exist. This allows an attacker to find a valid username. Enter admin and a password of`test and the message is Invalid username or password.

  2. Enter a username of admin and a password of ' and you will get SQL error returned:

  3. Now we know its a MariaDB database, we can use a specific SQLi payload for MariaDB. Enter a username of admin and a password of 1' OR 1 = 1# and click SECURE LOGIN. Observe that you now have admin access to the Vaccination Management portal (/vaccination-manager/portal.php):

Impact

An attacker can gain access to the Vaccination Management portal and view PII information, and the uploaded files, or any user who has uploaded a proof of vaccination.

P1 CRITICAL

Endpoint: /vaccination-manager/login.php

Parameter: password

Payload: 1' OR 1 = 1#


FirstBlood ID: 30
Vulnerability Type: SQL Injection

There is an SQL injection on the vaccination management portal login page which results in the user being able to login as the administrator.