jenyraval / Phishing-Simulation

Phishing Simulation mainly aims to increase phishing awareness by providing an intuitive tutorial and customized assessment
GNU General Public License v3.0
136 stars 34 forks source link

Multiple SQL Injections #2

Closed fbogner closed 5 years ago

fbogner commented 5 years ago

As this tool has also been introduced on the Full Disclosure mailing list I got interested and took a brief look at its source code. Thereby I detected several SQL injections:

For example see https://github.com/jenyraval/Phishing-Simulation/blob/master/phishClient/test.php

$testcode = htmlspecialchars($_POST['testcode']); $empid = htmlspecialchars($_POST['empid']); $query = "insert into employee (testcode,empid) values ('$testcode','$empid');";

By setting the post param testcode to 1’ the resulting SQL statement is: insert into employee (testcode,empid) values ('1'','12'); -> a first proof that this is exploitable

Screenshot 2019-08-08 at 08 22 46

With the help of SQLmap this can even be automated: Screenshot 2019-08-08 at 08 28 35

There are further files that show signs of SQL injections: https://github.com/jenyraval/Phishing-Simulation/blob/master/AdminPanel/setup2.php https://github.com/jenyraval/Phishing-Simulation/blob/master/AdminPanel/analysis.php https://github.com/jenyraval/Phishing-Simulation/blob/master/phishClient/result.php

Please always use parameterized queries! Especially if you create a security-focused application ;-)

jenyraval commented 5 years ago

@fbogner Appreciate you time in reviewing!

I am in process of fixing sec-bugs, shall commit code once I am done.

Thanks!

jenyraval commented 5 years ago

changes merged to master.

Thanks for reporting!