FirstBlood-#808 — SQL Injection in vaccination manager login
This issue was discovered on FirstBlood v2
On 2021-10-28, twsec Level 2 reported:
while trying to login into the vaccination manager page, i tried sql injection, and to my surprise it worked
- now we know that there's an admin user, so we type in username admin but in password we try some sql commands ( ' or 1=1# ) in password and we get this error
- send the request to repeater and try the payloads there
notice that now we have a redirect BUT there's a vaccination manager cookie set, if i follow the redirection in burp it'll take me to the login page, but all i need is the cookie
- open f12 on login.php enter the cookie values manually like so:
navigate to vaccination-manager/portal.php and you're in
so sql injection worked
P1 CRITICAL
Endpoint: /login
Parameter: password
Payload: ' or 1=1#
FirstBlood ID: 30
Vulnerability Type: SQL Injection
There is an SQL injection on the vaccination management portal login page which results in the user being able to login as the administrator.