CVE-2021-36621 – CVE-2021-36621 is a time-based SQL injection vu... (How to Fix)

Q: What is the severity of CVE-2021-36621?

CVE-2021-36621 has a CVSS score of 8.1 (HIGH). CVE-2021-36621 is a time-based SQL injection vulnerability in the username parameter of Sourcecodester Online Covid Vaccination Scheduler System 1.0, allowing attackers to extract admin password hashes and gain unauthorized administrator access. This affects users of the vulnerable software version, potentially compromising sensitive vaccination scheduling data. Attackers can exploit this to bypass authentication and take control of the system.

📋 TL;DR

CVE-2021-36621 is a time-based SQL injection vulnerability in the username parameter of Sourcecodester Online Covid Vaccination Scheduler System 1.0, allowing attackers to extract admin password hashes and gain unauthorized administrator access. This affects users of the vulnerable software version, potentially compromising sensitive vaccination scheduling data. Attackers can exploit this to bypass authentication and take control of the system.

💻 Affected Systems

Products:

Sourcecodester Online Covid Vaccination Scheduler System

Versions: 1.0

Operating Systems: Any OS running the software, typically web servers like Linux or Windows with PHP/MySQL

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability is present in the default installation; no special configuration is required for exploitation.

📦 What is this software?

Online Covid Vaccination Scheduler System by Online Covid Vaccination Scheduler System Project

View all CVEs affecting Online Covid Vaccination Scheduler System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining admin privileges, accessing or modifying all vaccination data, and potentially deploying ransomware or other malware.

🟠

Likely Case

Unauthorized admin access leading to data theft, manipulation of vaccination records, and disruption of scheduling operations.

🟢

If Mitigated

Limited impact with proper input validation and security controls, such as WAFs or network segmentation, preventing exploitation.

🌐 Internet-Facing: HIGH, as the system is likely web-accessible, making it directly exploitable from the internet without authentication.

🏢 Internal Only: MEDIUM, as internal attackers could still exploit it, but external threats are reduced if not internet-facing.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploits are publicly available, making it easy for attackers to automate attacks; time-based injection requires patience but is straightforward.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not specified by vendor

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch; apply workarounds or upgrade to a secure version if released. Review and modify source code to implement parameterized queries.

🔧 Temporary Workarounds

Implement Input Validation and Sanitization

all

Add server-side validation to sanitize username input, rejecting malicious SQL characters.

Modify PHP code: e.g., use mysqli_real_escape_string() or prepared statements in login scripts.

Deploy Web Application Firewall (WAF)

linux

Configure WAF rules to block SQL injection attempts targeting the username parameter.

Example for ModSecurity: SecRule ARGS:username "@detectSQLi" "id:1001,phase:2,deny"

🧯 If You Can't Patch

Isolate the system behind a firewall or VPN to limit access to trusted networks only.
Monitor logs for unusual SQL query patterns and implement rate limiting on login attempts.

🔍 How to Verify

Check if Vulnerable:

Test the login form with a time-based payload like ' OR SLEEP(5)-- and observe delayed response.

Check Version:

Check the software version in the admin panel or source code files (e.g., look for version.txt or config.php).

Verify Fix Applied:

Retest with the same payload; if no delay occurs and input is sanitized, the fix is likely applied.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL errors in web server logs, multiple failed login attempts with SQL-like strings in username field.

Network Indicators:

HTTP requests containing SQL injection payloads (e.g., SLEEP, UNION) to login endpoints.

SIEM Query:

Example: source="web_logs" AND (username="*SLEEP*" OR username="*UNION*" OR username="*OR*" )

📊 Metadata

CVE ID: CVE-2021-36621

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: July 30, 2021

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/164324/Covid-Vaccination-Scheduler-System-1.0-SQL-Injection-Cross-Site-Scripting.html Exploit,Third Party Advisory,VDB Entry
https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/CVE-nu11-18-09-2821 Exploit,Third Party Advisory
https://www.exploit-db.com/exploits/50109 Exploit,Third Party Advisory,VDB Entry
http://packetstormsecurity.com/files/164324/Covid-Vaccination-Scheduler-System-1.0-SQL-Injection-Cross-Site-Scripting.html Exploit,Third Party Advisory,VDB Entry
https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/CVE-nu11-18-09-2821 Exploit,Third Party Advisory
https://www.exploit-db.com/exploits/50109 Exploit,Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-36621, you might also want to check these: