Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2023-7172 PoC — PHPGurukul Hospital Management System Admin Dashboard sql injection

Source
https://github.com/sharathc213/CVE-2023-7172
Associated Vulnerability
Title:PHPGurukul Hospital Management System Admin Dashboard sql injection (CVE-2023-7172)
Description:A vulnerability, which was classified as critical, has been found in PHPGurukul Hospital Management System 1.0. Affected by this issue is some unknown functionality of the component Admin Dashboard. The manipulation leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-249356.
Readme

#  CVE-2023-7172

## Overview

This project contains a vulnerable version of a Hospital Management System (HMS) that is susceptible to SQL Injection (CVE-2023-7172). SQL Injection is a critical web application vulnerability that can have severe impacts on the security and functionality of a system.

## CVE Details

- **CVE ID:** [CVE-2023-7172](https://nvd.nist.gov/vuln/detail/CVE-2023-7172)
- **Vulnerability Type:** SQL Injection
- **Affected Component:** Admin login page
- **Vulnerable Parameter:** username
- **Ventor Details:** [phpgurukul.com](https://phpgurukul.com/hospital-management-system-in-php/)
- **Vulnerable Version:** Hospital Management System 1.0

## Steps to Reproduce (PoC)

### Clone the Repository:

```bash
git clone https://github.com/sharathc213/CVE-2023-7172.git
cd CVE-2023-7172
```

### Run Docker Compose:

```bash
docker-compose up -d
```

### Access the Admin Login Page:

Open a web browser and navigate to the admin login page, typically located at http://localhost:8080/hms/admin/

### Initial Login Attempt:

In the "Username" field, input the following:

```
admin' -- -
```

Fill in the "Password" field with any value (it doesn't matter in this case).
![POC](https://github.com/sharathc213/CVE-2023-7172/blob/main/Screenshot_2.jpg)


### Attempt to Log In:

Click the "Log In" button to attempt to log in using the modified username.

### Observe the Result:

If the application successfully logs you into the admin dashboard without requiring the correct password, it indicates that a SQL Injection vulnerability is likely present.

## Impact of SQL Injection in a Hospital Management System

SQL Injection is a critical web application vulnerability that can have severe and wide-ranging impacts on the security and functionality of a system. Here are the key potential impacts of a successful SQL Injection attack:

- Unauthorized Data Access
- Data Exfiltration
- Data Manipulation
- Account Takeover
- System Compromise
- Application Disruption
- Legal and Compliance Consequences
- Reputation Damage
- Financial Loss

## Mitigation Recommendations

To mitigate the SQL Injection vulnerability, consider implementing the following best practices:

- Parameterized Statements (Prepared Statements)
- Stored Procedures
- Input Validation
- Whitelisting
- Escaping User Inputs


## Disclaimer

This  project is intentionally vulnerable and should only be used for educational and testing purposes. Do not deploy this in a production environment.
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →