Researcher: Ankit Patidar Role: Ethical Security Researcher
During a security assessment of the open-source Hospital Management System (HMS) project by PHPGurukul, multiple critical-level vulnerabilities were discovered. These vulnerabilities allow:
- Full database extraction
- Complete admin login bypass
- Reflected XSS execution
- Exposure of sensitive data
All findings have been responsibly disclosed to the vendor.
Vulnerable File:
/hospital/hms/admin/index.php
Vulnerable Parameter:
POST β username
Using SQLMap, full database extraction was possible.
Database: hms
Table: admin
username: admin
password_hash: e10adc3949ba59abbe56e057f20f883e
cracked password: 123456
- Boolean-based blind
- Error-based
- Time-based blind
- UNION query tests All confirmed injectable.
The login system does NOT properly sanitize input.
Working Payload:
admin' OR '1'='1' --
This payload bypasses authentication and gives full admin dashboard access.
Multiple input fields directly reflect user input without sanitization.
Trigger Payload:
"><script>alert(1)</script>This opens a JavaScript alert box and can be used for:
- Session Hijacking
- Cookie Theft
- Admin Takeover
All PoCs include:
- SQLMap terminal logs
- Dashboard access after bypass
- XSS popup execution
- Raw vulnerable queries shown by server
(Screenshots attached separately in repo β you can upload your images folder here)
- Use prepared statements / parameterized queries
- Avoid directly concatenating user input
- Escape output using
htmlspecialchars() - Add server-side validation
- Implement Content Security Policy (CSP)
- Strict input validation
- Remove inline SQL
- Implement secure login validations
These findings were reported in good faith to PHPGurukul via email:
π§ info@phpgurukul.com
Awaiting their acknowledgment and patch updates.
Ankit Patidar
Ethical Security Researcher
Bug Bounty & Penetration Testing Enthusiast