As this tool has also been introduced on the Full Disclosure mailing list I got interested and took a brief look at its source code. Thereby I detected several SQL injections:
By setting the post param testcode to 1’ the resulting SQL statement is: insert into employee (testcode,empid) values ('1'','12'); -> a first proof that this is exploitable
With the help of SQLmap this can even be automated:
As this tool has also been introduced on the Full Disclosure mailing list I got interested and took a brief look at its source code. Thereby I detected several SQL injections:
For example see https://github.com/jenyraval/Phishing-Simulation/blob/master/phishClient/test.php
$testcode = htmlspecialchars($_POST['testcode']); $empid = htmlspecialchars($_POST['empid']); $query = "insert into employee (testcode,empid) values ('$testcode','$empid');";
By setting the post param testcode to 1’ the resulting SQL statement is: insert into employee (testcode,empid) values ('1'','12'); -> a first proof that this is exploitable
With the help of SQLmap this can even be automated:
There are further files that show signs of SQL injections: https://github.com/jenyraval/Phishing-Simulation/blob/master/AdminPanel/setup2.php https://github.com/jenyraval/Phishing-Simulation/blob/master/AdminPanel/analysis.php https://github.com/jenyraval/Phishing-Simulation/blob/master/phishClient/result.php
Please always use parameterized queries! Especially if you create a security-focused application ;-)