SQL Injection in Online Hospital Management System login_1.php

Vulnerability Overview Vulnerability Name: Online Hospital Management System SQL Injection in login_1.php Vulnerability Description: A critical SQL injection vulnerability exists in the file. The controllable parameter (sent via HTTP POST) is directly concatenated into a SELECT SQL query without any escaping or the use of prepared statements. The application subsequently checks the returned rows to verify the password and user role. Since is the login handler and requires no prior authentication, any unauthenticated remote attacker can trigger this vulnerability. An malicious attacker can completely bypass authentication to log in as any user (including administrators) or use UNION-based or blind SQL injection techniques to extract sensitive data from the database. Code Analysis: The value of is obtained directly from the login form and inserted into the SQL query string without any escaping or the use of prepared statements. The application then checks if any rows were returned and subsequently verifies the password and user role. However, attackers can inject malicious SQL code into the field to manipulate query logic or retrieve arbitrary data. Impact Scope Complete Authentication Bypass: Attackers can completely bypass authentication and log in as any user without a password. Acquisition of Administrator Access: By logging in as an administrator, attackers gain administrative privileges. Extraction of All Usernames and Passwords: All usernames and passwords can be extracted from the table, resulting in a complete credential leak. Access to Sensitive Data in Other Database Tables: Sensitive data in other database tables can be accessed via UNION-based or blind injection. Potential File Writing or Command Execution: Depending on MySQL user permissions and configuration, it may be possible to write files or execute commands on the server (e.g., via ). Remediation 1. Use Prepared Statements: Use prepared statements for all database queries involving user input. 2. Implement Input Validation: Restrict the field to accept only alphanumeric characters and the expected length. 3. Secure Password Storage: Use and instead of comparing plaintext passwords. 4. Add Rate Limiting and Account Locking: Prevent brute-force attacks and automated exploitation. 5. Disable Detailed Error Messages in Production: Display a generic "Invalid username or password" message regardless of the actual error. This prevents attackers from gaining feedback through injection attacks. 6. Apply the Principle of Least Privilege: The MySQL user employed by the application should only have the necessary permissions (no file privileges, no access to the schema, etc.). POC Code 1. Authentication Bypass (General Login) Submit the following to bypass authentication and log in as the first user in the database (usually the administrator): 2. Authentication Bypass for a Specific User Log in as a specific user (e.g., ) without knowing the password: 3. UNION-based Data Extraction Determine the number of columns (usually 4 or more): Extract the database name and version: Dump usernames and passwords from the table: 4. Time-based Blind SQL Injection If all errors are suppressed, time-based injection can be used to verify the vulnerability: 5. Automated Exploitation with sqlmap Save the POST request (including , , and fields) to a file named and run:

Goal Reached Thanks to every supporter — we hit 100%!

SQL Injection in Online Hospital Management System login_1.php

More from this source