api/v1/protocol/set and api/v1/images/set API endpoints are vulnerable to authenticated SQL injection.
Affected version: ehoney v2.0.0
Analysis
1. For api/v1/protocol/set, the sink point occurs on the models/protocol.go
//models/protocol.go
var p = "%" + payload.Payload + "%"
sql := fmt.Sprintf("select id, creator, status, create_time, protocol_type, deploy_path, default_flag, min_port, max_port from protocols where CONCAT(id, creator, create_time, protocol_type, deploy_path, min_port, max_port) LIKE '%s' order by create_time DESC", p)
2. For api/v1/images/set, the sink point occurs on the models/images.go
//models/images.go
var p = "%" + payload.Payload + "%"
sql := fmt.Sprintf("select id, image_name, image_address, image_port, image_type, default_flag from images where CONCAT(image_name, image_address, image_port, image_type) LIKE '%s'", p)
As you can see on the above code snippets, payload.Payload is delivered to SQL statement without sanitized, and payload.Payload could be user-controlled, source point lies on Payload parameter in these two api endpoint, then SQL injection arises.
Proof of Concept
Take Ehoney's demo environment as example, and use api/v1/protocol/set endpoint to prove the SQL injection, api/v1/images/set is similar.
After attacker logged in with admin/admin123, he could intercept the requests and inject into malicious payload to achieve SQL injection. Payload: TOM' UNION ALL SELECT NULL,NULL,NULL,CONCAT(CONCAT('***',database()),'***'),NULL,NULL,NULL,NULL,NULL-- a
As is showing below, attacker uses BurpSuite to perform attack, the server respond to us with database name: sec_ehoneypot
The text was updated successfully, but these errors were encountered:
Summary
api/v1/protocol/setandapi/v1/images/setAPI endpoints are vulnerable to authenticated SQL injection.Affected version: ehoney v2.0.0
Analysis
1. For
api/v1/protocol/set, the sink point occurs on the models/protocol.go2. For
api/v1/images/set, the sink point occurs on the models/images.goAs you can see on the above code snippets,
payload.Payloadis delivered to SQL statement without sanitized, andpayload.Payloadcould be user-controlled, source point lies on Payload parameter in these two api endpoint, then SQL injection arises.Proof of Concept
Take Ehoney's demo environment as example, and use
api/v1/protocol/setendpoint to prove the SQL injection,api/v1/images/setis similar.After attacker logged in with
admin/admin123, he could intercept the requests and inject into malicious payload to achieve SQL injection.Payload:
TOM' UNION ALL SELECT NULL,NULL,NULL,CONCAT(CONCAT('***',database()),'***'),NULL,NULL,NULL,NULL,NULL-- aAs is showing below, attacker uses BurpSuite to perform attack, the server respond to us with database name: sec_ehoneypot
The text was updated successfully, but these errors were encountered: