FirstBlood-#790SQLi allows to bypass login page for the vaccination-manager portal
This issue was discovered on FirstBlood v2.0.0 (issues patched)



On 2021-10-28, panya Level 7 reported:

After some recon I found that the new feature (vaccination-manager) has a login page located at /vaccination-manager/login.php.

The form allows enumerating registered users (because it returns an error "User does not exist" for an unregistered username). I tried username "admin" and it indeed registered (returns "Invalid username or password" for a random password).

But the password field value is vulnerable to SQL injection.

So to bypass the login form and logging-in as admin, we can use this payload as the admin user's password field value: test' or 1=1#

Impact:

An attacker could log in to the vaccination manager portal as admin. Also, the attacker could exfiltrate data from this database, with sqlmap, for example using this command:

sqlmap -u 'https://7f2942c64ee8-panya.a.firstbloodhackers.com/vaccination-manager/login.php' --data 'username=admin&password=test'  --dbms MySQL --technique B --dump -D firstblood

P1 CRITICAL

Endpoint: /vaccination-manager/login.php

Parameter: password

Payload: &username=admin&test' or 1=1#


FirstBlood ID: 30
Vulnerability Type: SQL Injection

There is an SQL injection on the vaccination management portal login page which results in the user being able to login as the administrator.