Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security Bugs] Multiple Sql Injection #47

Open
trichimtrich opened this issue May 25, 2017 · 1 comment

Comments

Projects
None yet
3 participants
@trichimtrich
Copy link

commented May 25, 2017

Hi, I have found some critical bugs in Slims8 Akasia 8.3.1 (latest version).
First, There is a sql injection bug in this url:

$table_name = $dbs->escape_string(trim($_POST['tableName']));
<--striped-->
// append table name
$sql_string .= " FROM $table_name ";
if ($criteria) { $sql_string .= " WHERE $criteria LIMIT $limit"; }

// send query to database
$query = $dbs->query($sql_string);

You have escaped the tableName string. But actually it just appends backslash \ before ', ", or \. Reference from PHP mysql_real_escape_string
So if my POST variable tableName will trigger sql injection if not contains these chars.
Example: tableName = user where 1=0 union select version()--

2017_05_26_sql1

And also

$table_fields = trim($_POST['tableFields']);
<--striped-->
// explode table fields data
$fields = str_replace(':', ', ', $table_fields);
// set where criteria
$criteria = '';
foreach (explode(':', $table_fields) as $field) {
    $criteria .= " $field LIKE '%$keywords%' OR";
}
// remove the last OR
$criteria = substr_replace($criteria, '', -2);

$sql_string = "SELECT $fields ";

Variable tableFields does not sanitize for sql query yet. So it'll trigger injection like this

2017_05_26_sql2

These 2 urls have the same problems

This bug is excutable by everyone who has librarian role (single).

@dicarve

This comment has been minimized.

Copy link
Collaborator

commented Jun 5, 2017

Hi trichimtrich,

Thank you for your findings, this is very useful for use, and we will try to resolve this issue ASAP

Regards,

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.