search

iPynch / Simple-PHP-Social-Network-Website

Simple Social Network Website created with html, css, core javascript and core php.
GNU General Public License v3.0
46 stars 26 forks source link

SQL Injection #1

Open hashtaginfosec opened 4 years ago

hashtaginfosec commented 4 years ago

Not sure if you're planning to maintain the site but figured I'd report following parameters vulnerable to SQL Injection: /profile.php?id=<vulnerable>and /search.php?location=emails&query=<vulnerable>

Payloads you can use to test:

Therealjosephchrzempiec commented 1 year ago

Hello, Do you have a fix for this?

hashtaginfosec commented 1 year ago

Use parameterized queries. If you take https://github.com/iPynch/Simple-PHP-Social-Network-Website/blob/master/socialnetwork/search.php#L26 line for example: $key = $_GET['query']; is reading user input as is, without checking if there's anything malicious in it. Then lines like https://github.com/iPynch/Simple-PHP-Social-Network-Website/blob/master/socialnetwork/search.php#L28 throw it, as is, in a SELECT query: $sql = "SELECT * FROM users WHERE users.user_email = '$key'";

As a result, any input from the user is sent directly to the database, resulting in SQL queries making it to the DMBS. The results are then shown as is, resulting in a successful SQLi.

https://cheatsheetseries.owasp.org/cheatsheets/Query_Parameterization_Cheat_Sheet.html#using-php-with-php-data-objects gives good examples of using parameterized queries to avoid SQL injections.

Note though, I don't know if iPynch meant for this app to be used in production. So, it may just not be on their radar to harden it against attacks. I only used this app in test environments when teaching web application security and attacks.