Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

report sqlinjection vulnerability #951

Closed
pe4ch opened this issue Feb 23, 2022 · 1 comment
Closed

report sqlinjection vulnerability #951

pe4ch opened this issue Feb 23, 2022 · 1 comment
Assignees

Comments

@pe4ch
Copy link

pe4ch commented Feb 23, 2022

sqlinjection source
falcon-plus/modules/nodata/http/proc_http.go
line 61

	// config.hostgroup, /group/$grpname
	http.HandleFunc("/proc/group/", func(w http.ResponseWriter, r *http.Request) {
		urlParam := r.URL.Path[len("/proc/group/"):]
		RenderDataJson(w, service.GetHostsFromGroup(urlParam))
	})

sqlinjection sink http param is "grpName"

falcon-plus/modules/nodata/config/service/host.go
line 24

// FIX ME: too many JOIN

func GetHostsFromGroup(grpName string) map[string]int {
	hosts := make(map[string]int)

	now := time.Now().Unix()
	q := fmt.Sprintf("SELECT host.id, host.hostname FROM grp_host AS gh "+
		" INNER JOIN host ON host.id=gh.host_id AND (host.maintain_begin > %d OR host.maintain_end < %d)"+
		" INNER JOIN grp ON grp.id=gh.grp_id AND grp.grp_name='%s'", now, now, grpName) # grapName sql injection 

	dbConn, err := GetDbConn("nodata.host")
	if err != nil {
		log.Println("db.get_conn error, host", err)
		return hosts
	}

// provide

sqlinjection bool True page

mysql query log

sqlinjection bool False page

payload

@laiwei
Copy link
Member

laiwei commented Mar 1, 2022

@pe4ch 谢谢反馈
assigned to @710leo

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants