Blind SQL Injection in ClinicCases 7.3.3

Details

ClinicCases 7.3.3 suffers from a blind SQL injection vulnerability, which allows low-privileged attackers to execute arbitrary SQL commands through a vulnerable parameter.

The SQL injection can be exploited by all user accounts, including low-privilege "student" users.

The HTTP GET parameter "start" is defined as "$start" in cases_casenotes_load.php. This parameter is not sanitised and can be used to manipulate the SQL query to execute arbitrary commands from an attacker. For example, an attacker can use the following payload to force the server to sleep for 5 seconds:

GET request:

This can be used with common tools, such as SQLmap, to extract all records in the database. This includes usernames, email addresses, password hashes, etc.



发表评论 / Comment

用心评论~