Search for hundreds of thousands of exploits

"Online Healthcare Patient Record Management System 1.0 - Authentication Bypass"

Author

Exploit author

"Daniel Monzón"

Platform

Exploit platform

php

Release date

Exploit published date

2020-05-18

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
# Exploit Title: Online Healthcare Patient Record Management System 1.0 - Authentication Bypass
# Google Dork: N/A
# Date: 2020-05-18
# Exploit Author: Daniel Monzón (stark0de)
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/14217/online-healthcare-patient-record-management-system-using-phpmysql.html
# Version: N/A
# Tested on: Kali Linux 2020.2 x64
# CVE : N/A


The Online Healthcare Patient Record Management System suffers from multiple authentication bypass vulnerabilities: 

The login.php file allows a user to just supply  or 1=1  as a username and whatever password and bypass the authentication

<?php
        session_start();
        if(ISSET($_POST['login'])){
                $username = $_POST['username'];
                $password = $_POST['password'];
                $conn = new mysqli("localhost", "root", "", "hcpms") or die(mysqli_error());
                $query = $conn->query("SELECT * FROM `user` WHERE `username` = '$username' && `password` = '$password'") or die(mysqli_error());

The same happens with login.php for the admin area:

<?php
        session_start();
        $username = $_POST['username'];
        $password = $_POST['password'];
        if(ISSET($_POST['login'])){
                $conn = new mysqli("localhost", "root", "", "hcpms") or die(mysqli_error());
                $query = $conn->query("SELECT *FROM `admin` WHERE `username` = '$username' && `password` = '$password'") or die(mysqli_error());
                $fetch = $query->fetch_array();
                $valid = $query->num_rows;
                        if($valid > 0){
                                $_SESSION['admin_id'] = $fetch['admin_id'];
                                header("location:home.php");



There is also an authentication bypass issue located in add_user.php:

<?php
        if(ISSET($_POST['save_user'])){
                $username = $_POST['username']; 
                $password = $_POST['password']; 
                $firstname = $_POST['firstname']; 
                $middlename = $_POST['middlename']; 
                $lastname = $_POST['lastname']; 
                $section = $_POST['section']; 
                $conn = new mysqli("localhost", "root", "", "hcpms");
                $q1 = $conn->query("SELECT * FROM `user` WHERE `username` = '$username'") or die(mysqli_error());
                $f1 = $q1->fetch_array();
                $c1 = $q1->num_rows;
                        if($c1 > 0){
                                echo "<script>alert('Username already taken')</script>";
                        }else{
                                $conn->query("INSERT INTO `user` VALUES('', '$username', '$password', '$firstname', '$middlename', '$lastname', '$section')");
                                header("location: user.php");
                        }
        }
If a request is made with the required parameters, any user can create an admin account (no authentication is required to do this).

Finally, there are many SQL injection vulnerabilities (GET parameters directly passed to SQL queries), but those are authenticated
Release DateTitleTypePlatformAuthor
2020-05-29"Crystal Shard http-protection 0.2.0 - IP Spoofing Bypass"webappsmultiple"Halis Duraki"
2020-05-29"WordPress Plugin Multi-Scheduler 1.0.0 - Cross-Site Request Forgery (Delete User)"webappsphpUnD3sc0n0c1d0
2020-05-28"EyouCMS 1.4.6 - Persistent Cross-Site Scripting"webappsphp"China Banking and Insurance Information Technology Management Co."
2020-05-28"NOKIA VitalSuite SPM 2020 - 'UserName' SQL Injection"webappsmultiple"Berk Dusunur"
2020-05-28"QNAP QTS and Photo Station 6.0.3 - Remote Command Execution"webappsphpTh3GundY
2020-05-28"Online-Exam-System 2015 - 'fid' SQL Injection"webappsphp"Berk Dusunur"
2020-05-27"LimeSurvey 4.1.11 - 'Permission Roles' Persistent Cross-Site Scripting"webappsphp"Matthew Aberegg"
2020-05-27"osTicket 1.14.1 - 'Saved Search' Persistent Cross-Site Scripting"webappsphp"Matthew Aberegg"
2020-05-27"Kuicms PHP EE 2.0 - Persistent Cross-Site Scripting"webappsphp"China Banking and Insurance Information Technology Management Co."
2020-05-27"Online Marriage Registration System 1.0 - Persistent Cross-Site Scripting"webappsphp"that faceless coder"
Release DateTitleTypePlatformAuthor
2020-05-29"WordPress Plugin Multi-Scheduler 1.0.0 - Cross-Site Request Forgery (Delete User)"webappsphpUnD3sc0n0c1d0
2020-05-28"QNAP QTS and Photo Station 6.0.3 - Remote Command Execution"webappsphpTh3GundY
2020-05-28"Online-Exam-System 2015 - 'fid' SQL Injection"webappsphp"Berk Dusunur"
2020-05-28"EyouCMS 1.4.6 - Persistent Cross-Site Scripting"webappsphp"China Banking and Insurance Information Technology Management Co."
2020-05-27"Kuicms PHP EE 2.0 - Persistent Cross-Site Scripting"webappsphp"China Banking and Insurance Information Technology Management Co."
2020-05-27"osTicket 1.14.1 - 'Saved Search' Persistent Cross-Site Scripting"webappsphp"Matthew Aberegg"
2020-05-27"OXID eShop 6.3.4 - 'sorting' SQL Injection"webappsphpVulnSpy
2020-05-27"LimeSurvey 4.1.11 - 'Permission Roles' Persistent Cross-Site Scripting"webappsphp"Matthew Aberegg"
2020-05-27"Online Marriage Registration System 1.0 - Persistent Cross-Site Scripting"webappsphp"that faceless coder"
2020-05-27"osTicket 1.14.1 - 'Ticket Queue' Persistent Cross-Site Scripting"webappsphp"Matthew Aberegg"
Release DateTitleTypePlatformAuthor
2020-05-21"OpenEDX platform Ironwood 2.5 - Remote Code Execution"webappsmultiple"Daniel Monzón"
2020-05-18"Online Healthcare Patient Record Management System 1.0 - Authentication Bypass"webappsphp"Daniel Monzón"
2020-04-27"Online Course Registration 2.0 - Authentication Bypass"webappsphp"Daniel Monzón"
2020-04-13"Wordpress Plugin Media Library Assistant 2.81 - Local File Inclusion"webappsphp"Daniel Monzón"
2020-03-12"Wordpress Plugin Appointment Booking Calendar 1.3.34 - CSV Injection"webappsphp"Daniel Monzón"
2020-03-11"Wordpress Plugin Search Meter 2.13.2 - CSV injection"webappsphp"Daniel Monzón"
2020-01-31"Lotus Core CMS 1.0.1 - Local File Inclusion"webappsphp"Daniel Monzón"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/48481/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.