cx-israel-ogunsakin · cx-israel-ogunsakin · Sep 25, 2023 · Sep 25, 2023 · Sep 25, 2023 · Sep 25, 2023
diff --git a/src/main/java/org/cysecurity/cspf/jvl/controller/LoginValidator.java b/src/main/java/org/cysecurity/cspf/jvl/controller/LoginValidator.java
@@ -6,6 +6,7 @@
 
 package org.cysecurity.cspf.jvl.controller;
 
+import java.sql.PreparedStatement;
 import java.io.IOException;
 import java.io.PrintWriter;
 import java.sql.Connection;
@@ -48,8 +49,9 @@ protected void processRequest(HttpServletRequest request, HttpServletResponse re
                     if(con!=null && !con.isClosed())
                                {
                                    ResultSet rs=null;
-                                   Statement stmt = con.createStatement();  
-                                   rs=stmt.executeQuery("select * from users where username='"+user+"' and password='"+pass+"'");
+                                   PreparedStatement stmt = con.prepareStatement("select * from users where username='"+user+"' and password=?");  
+                                   stmt.setString(1, pass);
+                                   rs=stmt.executeQuery();
                                    if(rs != null && rs.next()){
                                    HttpSession session=request.getSession();
                                    session.setAttribute("isLoggedIn", "1");

diff --git a/src/main/webapp/admin/adminlogin.jsp b/src/main/webapp/admin/adminlogin.jsp
@@ -15,8 +15,10 @@ if(request.getParameter("Login")!=null)
                     if(con!=null && !con.isClosed())
                                {
                                    ResultSet rs=null;
-                                   Statement stmt = con.createStatement();  
-                                   rs=stmt.executeQuery("select * from users where username='"+user+"' and password='"+pass+"' and privilege='admin'");
+                                   PreparedStatement pstmt = con.prepareStatement("select * from users where username=? and password=? and privilege='admin'");
+                                   pstmt.setString(1, user);
+                                   pstmt.setString(2, pass);
+                                   rs=pstmt.executeQuery();
                                    if(rs != null && rs.next()){
                                    session.setAttribute("isLoggedIn", "1");
                                    session.setAttribute("userid", rs.getString("id"));

diff --git a/src/main/webapp/changeCardDetails.jsp b/src/main/webapp/changeCardDetails.jsp
@@ -1,11 +1,5 @@
  <%@ include file="/header.jsp" %>
- <%@page import="java.sql.Connection"%>
-<%@page import="java.sql.Statement"%>
-<%@page import="java.sql.SQLException"%>
-
-<%@page import="java.sql.ResultSetMetaData"%>
-<%@page import="java.sql.ResultSet"%>
-<%@ page import="java.util.*,java.io.*"%>
+<%@ page import="java.sql.Connection,java.sql.PreparedStatement,java.sql.SQLException"%>
 <%@ page import="org.cysecurity.cspf.jvl.model.DBConnect"%>
 
 
@@ -24,38 +18,37 @@ if(session.getAttribute("isLoggedIn")!=null)
 		</form>
 		<br/>
     <%
- Connection con=new DBConnect().connect(getServletContext().getRealPath("/WEB-INF/config.properties"));
-
-   String id=session.getAttribute("userid").toString();    //Gets User ID  
-   String action=request.getParameter("action");
-   try
-   {
-
-    if(action!=null && action.equalsIgnoreCase("add") )
+    Connection con=new DBConnect().connect(getServletContext().getRealPath("/WEB-INF/config.properties"));
+    String id=session.getAttribute("userid").toString();    //Gets User ID  
+    String action=request.getParameter("action");
+    try
     {
-
-        String cardno=request.getParameter("cardno");
-        String cvv=request.getParameter("cvv");
-        String expirydate=request.getParameter("expirydate");
-        if(!cardno.equals("") && !cvv.equals("") && !expirydate.equals(""))
-        {
-         Statement stmt = con.createStatement();
-         stmt.executeUpdate("INSERT into cards(id,cardno, cvv,expirydate) values ('"+id+"','"+cardno+"','"+cvv+"','"+expirydate+"')");
-         out.print("<b style='color:green'> * Card details added *</b>");   
-        }
-        else
+        if(action!=null && action.equalsIgnoreCase("add") )
         {
-            out.print("<b style='color:red'>*  Please Fill all the details * </b>");
+            String cardno=request.getParameter("cardno");
+            String cvv=request.getParameter("cvv");
+            String expirydate=request.getParameter("expirydate");
+            if(!cardno.equals("") && !cvv.equals("") && !expirydate.equals(""))
+            {
+                PreparedStatement pstmt = con.prepareStatement("INSERT into cards(id,cardno, cvv,expirydate) values (?,?,?,?)");
+                pstmt.setString(1, id);
+                pstmt.setString(2, cardno);
+                pstmt.setString(3, cvv);
+                pstmt.setString(4, expirydate);
+                pstmt.executeUpdate();
+                out.print("<b style='color:green'> * Card details added *</b>");
+            }
+            else
+            {
+                out.print("<b style='color:red'>*  Please Fill all the details * </b>");
+            }
         }
+        out.print("<br/><br/><a href='"+path+"/myprofile.jsp?id="+id+"'>Return to Profile Page &gt;&gt;</a>");
     }
-
-     out.print("<br/><br/><a href='"+path+"/myprofile.jsp?id="+id+"'>Return to Profile Page &gt;&gt;</a>"); 
-
+    catch(SQLException e)
+    {
+        out.print(e);
     }
-   catch(Exception e)
-   {
-       out.print(e);
-   }
 }
 else
 {

diff --git a/src/main/webapp/myprofile.jsp b/src/main/webapp/myprofile.jsp
@@ -1,6 +1,6 @@
  <%@ include file="/header.jsp" %>
  <%@page import="java.sql.Connection"%>
-<%@page import="java.sql.Statement"%>
+<%@page import="java.sql.PreparedStatement"%>
 <%@page import="java.sql.SQLException"%>
 
 <%@page import="java.sql.ResultSetMetaData"%>
@@ -16,29 +16,32 @@ if(session.getAttribute("isLoggedIn")!=null)
    String id=request.getParameter("id");
    if(id!=null && !id.equals(""))
    {
-        Statement stmt = con.createStatement();
-             ResultSet rs =null;
-             rs=stmt.executeQuery("select * from users where id="+id);
-              if(rs != null && rs.next())
-              {
-                out.print("UserName : "+rs.getString("username")+"<br>"); 
-                out.print("Email : "+rs.getString("email")+"<br>"); 
-                out.print("About : "+rs.getString("about")+"<br>"); 
-
-                //Getting Card Details:
-                ResultSet rs1=stmt.executeQuery("select * from cards where id="+id);
-                 if(rs1 != null && rs1.next())
-                {
-                   out.print("<br/>-------------------<br/>Card Details:<br/>-------------------<br/>");
-                   out.print("Card Number: "+rs1.getString("cardno")+"<br/>");
-                   out.print("CVV: "+rs1.getString("cvv")+"<br/>");
-                   out.print("Expiry Date: "+rs1.getString("expirydate")+"<br/>");
-                }
-                 else
-                 {
-                     out.print("<br/>No Card Details Found: <a href='changeCardDetails.jsp'>Add Card</a><br/>");
-                 }
-              }
+        PreparedStatement pstmt = con.prepareStatement("select * from users where id=?");
+        pstmt.setString(1, id);
+        ResultSet rs =null;
+        rs=pstmt.executeQuery();
+        if(rs != null && rs.next())
+        {
+          out.print("UserName : "+rs.getString("username")+"<br>"); 
+          out.print("Email : "+rs.getString("email")+"<br>"); 
+          out.print("About : "+rs.getString("about")+"<br>"); 
+
+          //Getting Card Details:
+          PreparedStatement pstmt1 = con.prepareStatement("select * from cards where id=?");
+          pstmt1.setString(1, id);
+          ResultSet rs1=pstmt1.executeQuery();
+          if(rs1 != null && rs1.next())
+          {
+             out.print("<br/>-------------------<br/>Card Details:<br/>-------------------<br/>");
+             out.print("Card Number: "+rs1.getString("cardno")+"<br/>");
+             out.print("CVV: "+rs1.getString("cvv")+"<br/>");
+             out.print("Expiry Date: "+rs1.getString("expirydate")+"<br/>");
+          }
+          else
+          {
+              out.print("<br/>No Card Details Found: <a href='changeCardDetails.jsp'>Add Card</a><br/>");
+          }
+        }
    }
    else
    {

diff --git a/src/main/webapp/vulnerability/DisplayMessage.jsp b/src/main/webapp/vulnerability/DisplayMessage.jsp
@@ -1,46 +1,35 @@
  <%@page import="java.sql.ResultSet"%>
-<%@page import="java.sql.Statement"%>
+<%@page import="java.sql.PreparedStatement"%>
 <%@page import="java.sql.Connection"%>
 <%@ include file="/header.jsp" %>
- <%@ page import="org.cysecurity.cspf.jvl.model.DBConnect"%>
- <%
-      if(session.getAttribute("isLoggedIn")!=null) 
- {
-       Connection con=new DBConnect().connect(getServletContext().getRealPath("/WEB-INF/config.properties"));
-        if(con!=null && !con.isClosed())
-          {
-            if(request.getParameter("msgid")!=null)
-             {
-              Statement stmt = con.createStatement();
-             ResultSet rs =null;
-             rs=stmt.executeQuery("select * from UserMessages where msgid="+request.getParameter("msgid"));
-                if(rs.next())
-                {
-                    out.print("<b>Sender:</b> "+rs.getString("sender"));
-                    out.print("<br/><b>Subject:</b>"+rs.getString("subject"));
-                    out.print("<br/><b>Message:</b> <br/>"+rs.getString("msg"));
-                }
-                else
-                {
-                    out.print("No Message Found");
-                }
-             }
-            else
-            {
-                out.print("Message Id Parameter is missing");
-
-            }
-              out.print("<br/><br/><a href='"+path+"/vulnerability/Messages.jsp'>Return to Messages &gt;&gt;</a>"); 
-
-              out.print("<br/><br/><a href='"+path+"/myprofile.jsp?id="+session.getAttribute("userid")+"'>Return to Profile Page &gt;&gt;</a>"); 
-
-       }
-
- }
- else
- {
-  out.print("<span style='color:red'>* Please login to send message</span>");   
- }
-       %>
-
- <%@ include file="/footer.jsp" %>
+<%@ page import="org.cysecurity.cspf.jvl.model.DBConnect"%>
+<%
+if(session.getAttribute("isLoggedIn")!=null) {
+Connection con=new DBConnect().connect(getServletContext().getRealPath("/WEB-INF/config.properties"));
+if(con!=null && !con.isClosed()) {
+if(request.getParameter("msgid")!=null) {
+PreparedStatement pstmt = con.prepareStatement("select * from UserMessages where msgid=?");
+pstmt.setString(1, request.getParameter("msgid"));
+ResultSet rs =null;
+rs=pstmt.executeQuery();
+if(rs.next()) {
+out.print("<b>Sender:</b> "+rs.getString("sender"));
+out.print("<br/><b>Subject:</b>"+rs.getString("subject"));
+out.print("<br/><b>Message:</b> <br/>"+rs.getString("msg"));
+}
+else {
+out.print("No Message Found");
+}
+}
+else {
+out.print("Message Id Parameter is missing");
+}
+out.print("<br/><br/><a href='"+path+"/vulnerability/Messages.jsp'>Return to Messages &gt;&gt;</a>");
+out.print("<br/><br/><a href='"+path+"/myprofile.jsp?id="+session.getAttribute("userid")+"'>Return to Profile Page &gt;&gt;</a>");
+}
+}
+else {
+out.print("<span style='color:red'>* Please login to send message</span>");
+}
+%>
+<%@ include file="/footer.jsp" %>
diff --git a/src/main/webapp/vulnerability/UserDetails.jsp b/src/main/webapp/vulnerability/UserDetails.jsp
@@ -1,34 +1,31 @@
  <%@page import="java.sql.ResultSet"%>
-<%@page import="java.sql.Statement"%>
+<%@page import="java.sql.PreparedStatement"%>
 <%@page import="java.sql.Connection"%>
 <%@ include file="/header.jsp" %>
- <%@ page import="org.cysecurity.cspf.jvl.model.DBConnect"%>
- <%
- Connection con=new DBConnect().connect(getServletContext().getRealPath("/WEB-INF/config.properties"));
-   String username=request.getParameter("username");
-   if(username!=null && !username.equals(""))
-   {
-        Statement stmt = con.createStatement();
-             ResultSet rs =null;
-             rs=stmt.executeQuery("select * from users where username='"+username+"'");
-              if(rs != null && rs.next())
-              {
-                out.print("<br>About "+rs.getString("username")+": <br>"+rs.getString("about")); 
-
-              }
-
-        if(session.getAttribute("isLoggedIn")!=null && !session.getAttribute("user").equals(username))
-        {
-             out.print("<br/><br/>");
-            out.print("<a href='SendMessage.jsp?recipient="+username+"'>Send Message to "+username+"</a>");
-        }
-   }
-   else
-   {
-       out.print("Username Parameter is Missing");
-   }
-
-      out.print("<br/><br/><a href='forum.jsp'>Return to Forum &gt;&gt;</a>"); 
-  %>
-
- <%@ include file="/footer.jsp" %>
+<%@ page import="org.cysecurity.cspf.jvl.model.DBConnect"%>
+<%
+Connection con=new DBConnect().connect(getServletContext().getRealPath("/WEB-INF/config.properties"));
+String username=request.getParameter("username");
+if(username!=null && !username.equals(""))
+{
+PreparedStatement pstmt = con.prepareStatement("select * from users where username=?");
+pstmt.setString(1, username);
+ResultSet rs =null;
+rs=pstmt.executeQuery();
+if(rs != null && rs.next())
+{
+out.print("<br>About "+rs.getString("username")+": <br>"+rs.getString("about"));
+}
+if(session.getAttribute("isLoggedIn")!=null && !session.getAttribute("user").equals(username))
+{
+out.print("<br/><br/>");
+out.print("<a href='SendMessage.jsp?recipient="+username+"'>Send Message to "+username+"</a>");
+}
+}
+else
+{
+out.print("Username Parameter is Missing");
+}
+out.print("<br/><br/><a href='forum.jsp'>Return to Forum &gt;&gt;</a>");
+%>
+<%@ include file="/footer.jsp" %>
diff --git a/src/main/webapp/vulnerability/idor/change-email.jsp b/src/main/webapp/vulnerability/idor/change-email.jsp
@@ -1,6 +1,6 @@
  <%@ include file="/header.jsp" %>
  <%@page import="java.sql.Connection"%>
-<%@page import="java.sql.Statement"%>
+<%@page import="java.sql.PreparedStatement"%>
 <%@page import="java.sql.SQLException"%>
 
 <%@page import="java.sql.ResultSetMetaData"%>
@@ -28,8 +28,10 @@ if(session.getAttribute("isLoggedIn")!=null)
    String id=request.getParameter("id");
    if(email!=null && !email.equals("") && id!=null)
    {
-        Statement stmt = con.createStatement();
-            stmt.executeUpdate("Update users set email='"+email+"' where id="+id);
+        PreparedStatement pstmt = con.prepareStatement("Update users set email=? where id=?");
+        pstmt.setString(1, email);
+        pstmt.setString(2, id);
+        pstmt.executeUpdate();
           out.print("<b class='success'>email Changed</b>");
    }
 

diff --git a/src/main/webapp/vulnerability/sqli/download_id_union.jsp b/src/main/webapp/vulnerability/sqli/download_id_union.jsp
@@ -19,16 +19,16 @@
     if(fileid!=null && !fileid.equals(""))
    {
      Connection con=new DBConnect().connect(getServletContext().getRealPath("/WEB-INF/config.properties"));
-            Statement stmt = con.createStatement();
+            PreparedStatement pstmt = con.prepareStatement("select * from FilesList where fileid=?");
+            pstmt.setString(1, fileid);
              ResultSet rs =null;
-             rs=stmt.executeQuery("select * from FilesList where fileid="+fileid);         
+             rs=pstmt.executeQuery();
               if(rs != null && rs.next())
               {
 
                 int BUFSIZE = 4096;
                 String filePath=rs.getString("path");
-
-                 File file = new File(getServletContext().getRealPath(path));
+                  File file = new File(getServletContext().getRealPath(path));
                 file = new File(file.getParent()+filePath);       
                 int length   = 0;
                 ServletOutputStream outStream = response.getOutputStream();
@@ -58,6 +58,10 @@
         out.print("File Parameter is missing");
     }
   }
+  catch(SQLException e)
+  {
+       out.print("Oops, Something Went wrong");
+  }
   catch(Exception e)
   {
        out.print("Oops, Something Went wrong");