关键漏洞信息 漏洞描述 漏洞编号: CVE-2025-65358 漏洞类型: SQL Injection 受影响项目: Edoc-doctor-appointment-system v1.0.1 发现者: Omkar Yepre 报告日期: 2025-10-30 漏洞详情 CVSS Severity: CVSS 3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CWE: - CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - CWE-29: Improper Input Validation 漏洞总结 SQL injection vulnerability exists in the docid parameter of the endpoint at /admin/appointment.php of the Edoc-doctor-appointment-system v1.0.1, by which an authenticated attacker with admin access can execute arbitrary SQL commands. 利用步骤 (POC) 1. Log in to admin panel. 2. Interact with the appointments tab. 3. Analyze HTTP POST请求 4. Use Burp Suite to capture traffic. 5. Modify docid parameter in request. 6. Run SQLMap with a crafted payload. 根源分析 Server-side validation for is missing. Direct string concatenation of user input in SQL queries. No data validation. 防护建议 Use prepared statements. Validate all inputs server-side. Use security best practices for avoiding SQL injection. Conduct code reviews.