Open hashtaginfosec opened 4 years ago
Hello, Do you have a fix for this?
Use parameterized queries. If you take https://github.com/iPynch/Simple-PHP-Social-Network-Website/blob/master/socialnetwork/search.php#L26 line for example:
$key = $_GET['query'];
is reading user input as is, without checking if there's anything malicious in it. Then lines like https://github.com/iPynch/Simple-PHP-Social-Network-Website/blob/master/socialnetwork/search.php#L28 throw it, as is, in a SELECT query:
$sql = "SELECT * FROM users WHERE users.user_email = '$key'";
As a result, any input from the user is sent directly to the database, resulting in SQL queries making it to the DMBS. The results are then shown as is, resulting in a successful SQLi.
https://cheatsheetseries.owasp.org/cheatsheets/Query_Parameterization_Cheat_Sheet.html#using-php-with-php-data-objects gives good examples of using parameterized queries to avoid SQL injections.
Note though, I don't know if iPynch meant for this app to be used in production. So, it may just not be on their radar to harden it against attacks. I only used this app in test environments when teaching web application security and attacks.
Not sure if you're planning to maintain the site but figured I'd report following parameters vulnerable to SQL Injection:
/profile.php?id=<vulnerable>
and/search.php?location=emails&query=<vulnerable>
Payloads you can use to test:
Single tick
/profile.php?id='
Always true statement:
/search.php?location=emails&query=1'+or+'1'%3D'1