cbcvebase.
CVE-2020-5192
published 2020-01-06

CVE-2020-5192: PHPGurukul Hospital Management System in PHP v4.0 suffers from multiple SQL injection vulnerabilities: multiple pages and parameters are not validating user…

PriorityP264high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
16.81%
96.7th percentile
PHPGurukul Hospital Management System in PHP v4.0 suffers from multiple SQL injection vulnerabilities: multiple pages and parameters are not validating user input, and allow for the application's database and information to be fully compromised.

Affected

1 ranges
VendorProductVersion rangeFixed in
phpgurukulhospital_management_system

Detection & IOCsextracted from sources · hover to see the quote

url/hospital/hospital/hms/doctor/search.php
url/hospital/hospital/hms/doctor/view-patient.php
url/hospital/hospital/hms/doctor/add-patient.php
url/hospital/hospital/hms/admin/change-password.php
url/hospital/hms/doctor/search.php
commandsearchdata=' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(CONCAT('qvxbq','zIuFTDXhtLrbZmAXQXxIalrRpZgCjsPnduKboFfW'),'qpqjq'),NULL-- PqeG&search=
commandviewid=6' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7162767071,0x7957464b6f4a78624b536a75497051715a71587353746a4b6e45716441646345614f725449555748,0x717a717a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- XNyp
commandbp=123&bs=123' AND SLEEP(5) AND 'CKbI'='CKbI&weight=123&temp=123&pres=123&submit=
commandcpass=123' AND SLEEP(5)-- taxP&npass=123&cfpass=123&submit=123
commandsearchdata='+UNION+ALL+SELECT+NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(CONCAT(md5({{num}}),1),2),NULL--+PqeG&search=
  • Detect UNION-based SQL injection attempts in POST parameter 'searchdata' on /doctor/search.php — look for UNION ALL SELECT with NULL columns and CONCAT payloads
  • Detect boolean-based and time-based blind SQLi in GET parameter 'viewid' on /doctor/view-patient.php — payloads include AND SLEEP(5) and AND <int>=<int>
  • Detect time-based blind SQLi in POST parameter 'bs' — payload contains AND SLEEP(5) injected into medical history submission
  • Detect boolean-based and time-based blind SQLi in POST parameter 'cpass' on /admin/change-password.php — payloads include AND SLEEP(5) and AND <int>=<int>#
  • Use Shodan/FOFA to identify exposed Hospital Management System instances as targets: shodan-query 'http.html:"hospital management system"', fofa-query 'body="hospital management system"'
  • Nuclei template detection: POST to /hospital/hms/doctor/search.php with UNION payload and match md5 hash of a known number in the response body confirms exploitation
  • All five vulnerable endpoints require authenticated sessions (doctor or admin login); exploitation is post-authentication (PR:L in CVSS)
  • ·The exploit was tested against a local instance at IP 10.0.0.214; the path prefix '/hospital/hospital/hms/' may vary depending on deployment configuration
  • ·Back-end DBMS confirmed as MySQL >= 5.0.0 (MariaDB fork); injection techniques and payloads are MySQL-specific (e.g., SLEEP, NULL-based UNION)
  • ·Web stack at time of testing was Apache 2.4.41 and PHP 7.4.1; detections tied to this stack may need adjustment for other environments

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.