CVE-2024-40502

My first CVE!

Overview

SQL Injection vulnerabilities continue to be a critical security issue in web applications, enabling attackers to interfere with the queries that an application makes to its database. Recently, a significant SQL Injection vulnerability was discovered in the Hospital Management System (HMS), a widely-used application in healthcare institutions for managing patient records and hospital workflows. This article details the CVE-2024-40502 vulnerability, specifically targeting the login functionality of the system.

Vulnerability Details

CVE-2024-40502 affects the login mechanism of the Hospital Management System. The vulnerable file is Loginpage.aspx.cs, and the issue resides in the btn_login_b_click method. The username and password fields are included directly in an SQL query without proper sanitization, making the application susceptible to SQL Injection attacks.

Vulnerable Code

The problematic part of the code looks like this:

protected void btn_login_b_click(object sender, EventArgs e)
{
    string username = txtUsername.Text;
    string password = txtPassword.Text;

    string query = "SELECT * FROM Users WHERE username='" + username + "' AND password='" + password + "'";
    // Execute the query
}

This code directly inserts user input into an SQL query, which allows attackers to manipulate the SQL commands.

Exploit

By injecting the following payload into the username field, an attacker can bypass the login authentication:

SQL Injection Payload:

username: kishan'--

This payload will comment out the rest of the SQL query, effectively bypassing the password check. Upon a successful injection, the attacker will be logged in as the user kishan, provided they know the username.

Indicators of a Successful Exploit

After exploiting the vulnerability, the user will be redirected to the following URL:

https://localhost:44306/Users/MainAppoinment.aspx

This indicates a successful login bypass.

Mitigation

To mitigate this vulnerability, developers should adopt secure coding practices, such as using parameterized queries or prepared statements. This ensures that user inputs are properly sanitized and that the SQL commands cannot be manipulated by an attacker.

Here is a revised version of the vulnerable code using parameterized queries:

protected void btn_login_b_click(object sender, EventArgs e)
{
    string username = txtUsername.Text;
    string password = txtPassword.Text;

    string query = "SELECT * FROM Users WHERE username=@username AND password=@password";
    SqlCommand cmd = new SqlCommand(query);
    cmd.Parameters.AddWithValue("@username", username);
    cmd.Parameters.AddWithValue("@password", password);

    // Execute the query
}

By implementing these changes, the application can resist SQL Injection attacks, thus enhancing its security posture.

Conclusion

SQL Injection vulnerabilities pose a significant risk to web applications, particularly those handling sensitive data like the Hospital Management System. It is crucial for developers to follow secure coding practices to prevent such vulnerabilities and protect user data from unauthorized access.

Stay vigilant and ensure your applications are secure by regularly testing and updating them against known vulnerabilities.

References

PreviouseJPT/eCPPT Notes NextBlind SQL Exploit

Last updated 10 months ago

protected void btn_login_b_click(object sender, EventArgs e) { string username = txtUsername.Text; string password = txtPassword.Text; string query = "SELECT * FROM Users WHERE username=@username AND password=@password"; SqlCommand cmd = new SqlCommand(query); cmd.Parameters.AddWithValue("@username", username); cmd.Parameters.AddWithValue("@password", password); // Execute the query }