FirstBlood-#873Username enumeration and SQL Injection on Vaccine Management login page
This issue was discovered on FirstBlood v2



On 2021-10-29, sumyth Level 2 reported:

Hi,

Please find a brief description of the vulnerability below,

Summary

On firstbloodhackers.com, using directory fuzzing it is possible to identify vaccine management login page. The login page can further be bypassed by using username enumeration and finally using SQL Injection.

Steps to Reproduce:

  1. Visit the login page at - https://9eebe8cbfef2-sumyth.a.firstbloodhackers.com/vaccination-manager/login.php

  2. Input any random username into the form and observe that the server responds back with 'User does not exist' message. It is possible to utilize this behavior to enumerate a valid user.

  1. It is observed that username 'admin' is a valid user of vaccine management portal as shown in the response from server,

  1. The password field on this page is also vulnerable to SQLi attacks. Using a simple payload to bypass the authentication - %27+or+1%3D1--+-, we are able to login to the portal.

The portal also allows to view the vaccination certificates directly leading to direct disclosure of sensitive PII.

Impact

Username enumeration along with SQL Injection in login page will allow an attacker to easily bypass the login restrictions and gain access to sensitive PII.

P1 CRITICAL

Parameter:

Payload:


FirstBlood ID: 30
Vulnerability Type: SQL Injection

There is an SQL injection on the vaccination management portal login page which results in the user being able to login as the administrator.