update victims_battery set time_d = case when (SELECTcount(tbl_name) FROM sqlite_master WHERE type='table'and tbl_name NOT like'sqlite_%') =8 then randomblob(1000000000) else 1 end where1=1or1=? or'a'=? --
If the condition inside case when() is true, randomblob(1000000000) is executed, which leads to large delay and/or returned status code of 500. This enable attacker to run a blind SQL injection attack.
Description
User input is not escaped when building SQL command. As a result, the application is vulnerable to SQL injection attack.
Proof of concept
python trape.py --url example.com --port 8080case when()is true,randomblob(1000000000)is executed, which leads to large delay and/or returned status code of 500. This enable attacker to run a blind SQL injection attack.Impact
Dump the whole database of
trape.How to fix
The vulnerability is in https://github.com/jofpin/trape/blob/master/core/db.py#L129. The
data[2]variable is manually concatenated to the SQL command.To fix this, developer can whitelist
data[2]variable before constructing SQL query.The text was updated successfully, but these errors were encountered: