Cloud based Student Information Chatbot system.: Functionality which the chatbot should have in this project : Here are some Details: A Student bot project is built using artificial algorithms that analyzes user’s queries and understand user’s message. This System is a web application which provides answer to the query of the student. Students just have to query through the bot which is used for chatting. Students can chat using any format there is no specific format the user has to follow. The System uses built in artificial intelligence to answer the query. The answers are appropriate what the user queries. If the answer is found to invalid, user just need to select the invalid answer button which will notify the admin about the incorrect answer. Admin can view invalid answer through portal via login. System allows admin to delete the invalid answer or to add a specific answer of that equivalent question. The User can query any college related activities through the system. The user does not have to personally go to the college for enquiry. The System analyzes the question and then answers to the user. The system answers to the query as if it is answered by the person. With the help of artificial intelligence, the system answers the query asked by the students. The system replies using an effective Graphical user interface which implies that as if a real person is talking to the user. The user can query about the college related activities through online with the help of this web application.This system helps the student to be updated about the college activities. For making it cloud based, deploy your web application integrated with AI in cloud platform. You can use any cloud platform AWS, GCP, Heroku etc.
Hello! I'd like to report an SQL injection vulnerability in your Chatbot web system, it doesn't require any authentication to trigger this vulnerability.
BTW, I found this type of vulnerability exists in your project for not only one time, here I just report one of them.
Analysis
In the /index.php, the $username parameter is embedded before prepare method, it means the SQL statement from the username POST parament will be executed directly.
Steps To Reproduce - PoC
Send a POST request with payload ' or 1=1 #
Now you can log in as any user you want
it's also possible to perform Boolean based blind injection here, which may lead to full compromise of your database.
Impact
This vulnerability may lead to full compromise of your database.
Recommendations
Check the PR Code
Change your code from
$sql = "SELECT * FROM users WHERE username='$username' AND password='$password'";
$stmt = $db->prepare($sql);
$stmt->execute();
to
$sql = "SELECT * FROM users WHERE username=? AND password=?";
$stmt = $db->prepare($sql);
$stmt->execute([$username, $password]);
SQL Injection (Unauthenticated)
Hello! I'd like to report an SQL injection vulnerability in your
Chatbotweb system, it doesn't require any authentication to trigger this vulnerability.BTW, I found this type of vulnerability exists in your project for not only one time, here I just report one of them.
Analysis
In the
/index.php, the$usernameparameter is embedded beforepreparemethod, it means the SQL statement from theusernamePOST parament will be executed directly.Steps To Reproduce - PoC
' or 1=1 #Impact
This vulnerability may lead to full compromise of your database.
Recommendations
Change your code from
to
All the best!