FirstBlood-#790 — SQLi allows to bypass login page for the vaccination-manager portal
This issue was discovered on FirstBlood v2.0.0 (issues patched)
On 2021-10-28, panya reported:
After some recon I found that the new feature (vaccination-manager) has a login page located at
The form allows enumerating registered users (because it returns an error "User does not exist" for an unregistered username). I tried username "admin" and it indeed registered (returns "Invalid username or password" for a random password).
But the password field value is vulnerable to SQL injection.
So to bypass the login form and logging-in as admin, we can use this payload as the
adminuser's password field value:
test' or 1=1#
An attacker could log in to the vaccination manager portal as admin. Also, the attacker could exfiltrate data from this database, with
sqlmap, for example using this command:
sqlmap -u 'https://7f2942c64ee8-panya.a.firstbloodhackers.com/vaccination-manager/login.php' --data 'username=admin&password=test' --dbms MySQL --technique B --dump -D firstblood
&username=admin&test' or 1=1#
FirstBlood ID: 30
Vulnerability Type: SQL Injection
There is an SQL injection on the vaccination management portal login page which results in the user being able to login as the administrator.