There are security risks in the operation of the server on the database

[marckwei]

issue 1

Vulnerability

There is a SQL injection vulnerability in the UserManager::addUser method.
The related business corresponding to the method is the registered account.
userid,username, nickname can be controlled, no filtering measures, and directly execute the entire SQL statement.

Looking at the code, it is found that the client does not encrypt the transmission data, and the registration information is returned to the server in clear text. Therefore, it can be injected directly in the client registration window.

bool UserManager::addUser(User& u) 
{
    ……
    ……
    ……
  char sql[256] = { 0 }; 
  snprintf(sql, 256, "INSERT INTO t_user(f_user_id, f_username, f_nickname, f_password, f_register_time) VALUES(%d, '%s', '%s', '%s', NOW())", m_baseUserId.load(), u.username.c_str(), u.nickname.c_str(), u.password.c_str()); 
  if (!pConn->execute(sql)) 
  { 
    LOGW("insert user error, sql: %s", sql); 
    return false; 
  }
    ……
    ……
}

Poc

payload:ad','ad','ads',sleep(10));# or ad','ad','ads',user());#

issue 2

Vulnerability

There is a SQL injection vulnerability in the UserManager::updateUserTeamInfoInDbAndMemory method.

newteaminfo can be controlled

bool UserManager::updateUserTeamInfoInDbAndMemory(int32_t userid, const std::string& newteaminfo)
{
    ……
    ……
    std::ostringstream osSql;
    osSql << "UPDATE t_user SET f_teaminfo='"
        << newteaminfo << "' WHERE f_user_id="
        << userid;
    if (!pConn->execute(osSql.str().c_str()))
    {
        LOGE("Update Team Info error, sql: %s", osSql.str().c_str());
        return false;
    }
    ……
    ……
}

Poc

The client has an input length limit, but the defense of the client is invalid. Hard code the payload into the program.

payload: 1"}]' or updatexml(2,concat(0x7e,version()),0) or'

issue 3

Vulnerability

There is a SQL injection vulnerability in the UserManager::addGroup method.

groupname can be controlled

bool UserManager::addGroup(const char* groupname, int32_t ownerid, int32_t& groupid)
{
    ……
    ……
    ++m_baseGroupId;
    char sql[256] = { 0 };
    snprintf(sql, 256, "INSERT INTO t_user(f_user_id, f_username, f_nickname, f_password, f_owner_id, f_register_time) VALUES(%d, '%d', '%s', '', %d,  NOW())", m_baseGroupId.load(), m_baseGroupId.load(), groupname, ownerid);
    if (!pConn->execute(sql))
    {
        LOGE("insert group error, sql: %s", sql);
        return false;
    }
	……
    ……
        
}    

Create a group chat function can trigger this function.

payload： 1','','1',version());#

The client has an input length limit, but the defense of the client is invalid. Hard code the payload into the program.

Find the place where the client sends the json, and hard code the payload in.

issue 4

Vulnerability

There is a SQL injection vulnerability in the UserManager::updateUserInfoInDb method.

bool UserManager::updateUserInfoInDb(int32_t userid, const User& newuserinfo)
{
    ……
    ……
    std::ostringstream osSql;
    osSql << "UPDATE t_user SET f_nickname='"        
          << newuserinfo.nickname << "', f_facetype=" 
          << newuserinfo.facetype << ", f_customface='" 
          << newuserinfo.customface << "', f_gender=" 
          << newuserinfo.gender << ", f_birthday=" 
          << newuserinfo.birthday << ", f_signature='" 
          << newuserinfo.signature << "', f_address='" 
          << newuserinfo.address << "', f_phonenumber='" 
          << newuserinfo.phonenumber << "', f_mail='" 
          << newuserinfo.mail << "' WHERE f_user_id=" 
          << userid;
    if (!pConn->execute(osSql.str().c_str()))
    {
        LOGE("UpdateUserInfo error, sql: %s", osSql.str().c_str());
        return false;
    }

	……
    ……
}

Poc

payload:1' or updatexml(2,concat(0x7e,version()),0) or'

[balloonwj]

yes，you are right. If you use flamingo for commercial use, remember to enhance this. Not adding this additional checks and enhancement is just for simplicity for users who study it. @marckwei