bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/48481.txt
Offensive Security 6aad755e5e DB: 2020-05-19 
10 changes to exploits/shellcodes

HP LinuxKI 6.01 - Remote Command Injection
Mikrotik Router Monitoring System 1.2.3 - 'community' SQL Injection
Wordpress Plugin Ajax Load More 5.3.1 - '#1' Authenticated SQL Injection
Online Examination System 1.0 - 'eid' SQL Injection
Oracle Hospitality RES 3700 5.7 - Remote Code Execution
forma.lms The E-Learning Suite 2.3.0.2 - Persistent Cross-Site Scripting
Monstra CMS 3.0.4 - Authenticated Arbitrary File Upload
online Chatting System 1.0 - 'id' SQL Injection
Online Healthcare Patient Record Management System 1.0 - Authentication Bypass
Online Healthcare management system 1.0 - Authentication Bypass
2020-05-19 05:01:51 +00:00

64 lines
No EOL
3.1 KiB
Text
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Exploit Title: Online Healthcare Patient Record Management System 1.0 - Authentication Bypass
# Google Dork: N/A
# Date: 2020-05-18
# Exploit Author: Daniel Monzón (stark0de)
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/14217/online-healthcare-patient-record-management-system-using-phpmysql.html
# Version: N/A
# Tested on: Kali Linux 2020.2 x64
# CVE : N/A
The Online Healthcare Patient Record Management System suffers from multiple authentication bypass vulnerabilities:
The login.php file allows a user to just supply or 1=1 as a username and whatever password and bypass the authentication
<?php
session_start();
if(ISSET($_POST['login'])){
$username = $_POST['username'];
$password = $_POST['password'];
$conn = new mysqli("localhost", "root", "", "hcpms") or die(mysqli_error());
$query = $conn->query("SELECT * FROM `user` WHERE `username` = '$username' && `password` = '$password'") or die(mysqli_error());
The same happens with login.php for the admin area:
<?php
session_start();
$username = $_POST['username'];
$password = $_POST['password'];
if(ISSET($_POST['login'])){
$conn = new mysqli("localhost", "root", "", "hcpms") or die(mysqli_error());
$query = $conn->query("SELECT *FROM `admin` WHERE `username` = '$username' && `password` = '$password'") or die(mysqli_error());
$fetch = $query->fetch_array();
$valid = $query->num_rows;
if($valid > 0){
$_SESSION['admin_id'] = $fetch['admin_id'];
header("location:home.php");
There is also an authentication bypass issue located in add_user.php:
<?php
if(ISSET($_POST['save_user'])){
$username = $_POST['username'];
$password = $_POST['password'];
$firstname = $_POST['firstname'];
$middlename = $_POST['middlename'];
$lastname = $_POST['lastname'];
$section = $_POST['section'];
$conn = new mysqli("localhost", "root", "", "hcpms");
$q1 = $conn->query("SELECT * FROM `user` WHERE `username` = '$username'") or die(mysqli_error());
$f1 = $q1->fetch_array();
$c1 = $q1->num_rows;
if($c1 > 0){
echo "<script>alert('Username already taken')</script>";
}else{
$conn->query("INSERT INTO `user` VALUES('', '$username', '$password', '$firstname', '$middlename', '$lastname', '$section')");
header("location: user.php");
}
}
If a request is made with the required parameters, any user can create an admin account (no authentication is required to do this).
Finally, there are many SQL injection vulnerabilities (GET parameters directly passed to SQL queries), but those are authenticated
Reference in a new issue View git blame Copy permalink