COVID19 Testing Management System 1.0 - SQL Injection in Password Recovery leads to Admin Account Takeover

2021.06.14
gb BHAVESH KAUL (GB) gb
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

# Exploit Title: COVID19 Testing Management System 1.0 - SQL Injection in Password Recovery leads to Admin Account Takeover # Date: 12 June 2021 # Exploit Author: BHAVESH KAUL # Author Linkedin: https://www.linkedin.com/in/bhavesh-kaul-cs/ # Vendor Homepage: https://phpgurukul.com # Software Link: https://phpgurukul.com/covid19-testing-management-system-using-php-and-mysql/ # Version: 1.0 # Tested on: Server: XAMPP # Description # COVID19 Testing Management System 1.0 is vulnerable to SQL Injection in it's Password Recovery form because of insufficient user supplied data sanitization. The attacker was able to change the administrator password by applying SQL Injection payload in the Mobile Number field and change the admin user password. Then a successfull admin dashboard login was performed, thus performing an account takeover. # Proof of Concept (PoC) : Exploit # 1) Goto: http://localhost/covid-tms/password-recovery.php 2) Enter the username as 'admin' 3) Insert the following SQLi payload as mobile number: admin' or '1'='1 4) Enter your desired password and submit the form 5) Form submission is successful and we are able to login as admin with our changed password # Image PoC : Reference Image # 1) Vulnerable Parameter: https://ibb.co/dgBTKWZ 2) Payload Success: https://ibb.co/M99jng0


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top