CVE-2025-3186
📋 TL;DR
This critical SQL injection vulnerability in Online Doctor Appointment Booking System 1.0 allows remote attackers to manipulate database queries through the appid parameter in /patient/invoice.php. Attackers can potentially access, modify, or delete sensitive medical appointment data. All systems running version 1.0 without proper input validation are affected.
💻 Affected Systems
- Projectworlds Online Doctor Appointment Booking System
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to exposure of all patient records, appointment data, and potential system takeover via SQL injection to RCE escalation.
Likely Case
Unauthorized access to patient appointment records, personal information, and potential data exfiltration or modification.
If Mitigated
Limited impact with proper WAF rules and database permissions preventing data access beyond the application's scope.
🎯 Exploit Status
Public exploit code is available, making this easily exploitable by attackers with basic SQL injection knowledge.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: Not available
Restart Required: No
Instructions:
No official patch available. Consider migrating to a supported alternative or implementing workarounds.
🔧 Temporary Workarounds
Input Validation and Sanitization
allAdd parameterized queries and input validation to the appid parameter in invoice.php
Modify /patient/invoice.php to use prepared statements: $stmt = $conn->prepare('SELECT * FROM invoices WHERE appid = ?'); $stmt->bind_param('s', $_GET['appid']);
WAF Rule Implementation
allDeploy web application firewall rules to block SQL injection patterns
Add WAF rule: SecRule ARGS:appid "@detectSQLi" "id:1001,phase:2,deny,status:403"
🧯 If You Can't Patch
- Block external access to /patient/invoice.php via firewall rules or web server configuration
- Implement strict database user permissions limiting SELECT/UPDATE/DELETE operations
🔍 How to Verify
Check if Vulnerable:
Test the /patient/invoice.php endpoint with SQL injection payloads like: /patient/invoice.php?appid=1' OR '1'='1Check Version:
Check system documentation or admin panel for version informationVerify Fix Applied:
Test with the same payloads and verify no SQL errors are returned and input is properly sanitized📡 Detection & Monitoring
Log Indicators:
- Unusual SQL error messages in application logs
- Multiple requests to /patient/invoice.php with special characters
- Database query errors containing user input
Network Indicators:
- HTTP requests to /patient/invoice.php with SQL keywords (UNION, SELECT, etc.)
- Abnormal database connection patterns from web server
SIEM Query:
source="web_logs" AND uri_path="/patient/invoice.php" AND (query_string="*'*" OR query_string="*%27*" OR query_string="*UNION*" OR query_string="*SELECT*" OR query_string="*OR*1=1*")