FirstBlood-#785 — SQL Injection on vaccination-manager login page to access portal
This issue was discovered on FirstBlood v2
On 2021-10-28, xnl-h4ck3r Level 4 reported:
Summary
A SQL Injection vulnerability exists on the password
field on endpoint /vaccination-manager/login.php
. An attacker can find a valid user name based on the error message returned by the server, and then use a SQLi payload in the password field to login and access /vaccination-manager/portal.php
The page also gives specifc error messages that allow an attacker to find valid user names (which could allow them to also brute force for passwords), and SQL error message, helping an attacker craft a working payload.
Steps to reproduce
-
You can see that entering a user of test
, password of test
and pressing SECURE LOGIN returns the message User does not exist
. This allows an attacker to find a valid username. Enter admin
and a password of`test
and the message is Invalid username or password
.
-
Enter a username of admin
and a password of '
and you will get SQL error returned:
-
Now we know its a MariaDB database, we can use a specific SQLi payload for MariaDB. Enter a username of admin
and a password of 1' OR 1 = 1#
and click SECURE LOGIN. Observe that you now have admin access to the Vaccination Management portal (/vaccination-manager/portal.php
):
Impact
An attacker can gain access to the Vaccination Management portal and view PII information, and the uploaded files, or any user who has uploaded a proof of vaccination.
P1 CRITICAL
Endpoint: /vaccination-manager/login.php
Parameter: password
Payload: 1' OR 1 = 1#
FirstBlood ID: 30
Vulnerability Type: SQL Injection
There is an SQL injection on the vaccination management portal login page which results in the user being able to login as the administrator.