Hospital Management System Project In ASP.Net MVC 1 SQL Injection

2024.07.17

Credit: 0xMykull

Risk: Medium

Local: No

Remote: Yes

CVE: CVE-2024-40502

CWE: CWE-89

# Exploit Title: Hospital Management System Project in ASP.Net MVC - SQL
Injection / Authentication Bypass
# Date: 07/16/2024
# Exploit Author: 0xMykull
# Vendor Hompage:
https://itsourcecode.com/free-projects/asp/hospital-management-system-project-in-asp-net-mvc-with-source-code/
# Software Link:
https://itsourcecode.com/free-projects/asp/hospital-management-system-project-in-asp-net-mvc-with-source-code/
# Version: 1
# CVE: CVE-2024-40502

Description:
An SQL injection vulnerability has been discovered in the btn_login_b_Click
function of the affected web application. The vulnerability exists due to
the improper sanitization of user-supplied input in the login form.
Specifically, the txt_login_username.Text and txt_login_pass.Text fields
are concatenated directly into an SQL query string without proper
parameterization or escaping.

Endpoint: https://localhost:44306/Users/Loginpage.aspx

Bypass Payloads:

(default user)
Username: kihsan'--
password: <anything>

Username: <anyvaliduser>'--
password: <anything>

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Hospital Management System Project In ASP.Net MVC 1 SQL Injection

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.