At the end of the above code snippet, sql += fmt.Sprintf(" WHERE username = '%s'", username), '%s' shows that username is delivered to SQL statement without sanitized. If we could control username variable,then SQL injection could be exploited. Coincidentally there is no sanitization of username when attacker register malformed account.
The source point occurs on username at /signup api route.
Meanwhile, if !isAdminUsername(cfg, username){ shows that only general username could trigger the SQL injection, that is good for attack.
Proof of Concept
1.Create a docker environment locally, using the docker command recommended. sudo docker run -it -p 5912:5912 -p 5913:5913 zhaojh329/rttys:latest
2.Access the Web panel opened in http://ip:5913/, click Sign up to register new user. Because it is a docker demo, we have to register a admin account firstly.
3.After registered admin username, then attacker register a new malformed username xyz' union select username,password,3 from account-- with any password like SecurityTest
4.Attacker logged in with username xyz' union select username,password,3 from account--successfully, we could find that the password of admin and other users is showing, which is the result of exploit of SQL injection. As is showing below
The text was updated successfully, but these errors were encountered:
Summary
SQL injection occurs on the server side of rtty:
rttys.Affected Version: v4.0.0<= rttys <= v4.0.2
Attacker could register a malformed account in server side, logged in and trigger the SQL injection.
I tried to contact to you using huntr platform, but it seems not work, so I post the security issue here.
Analysis
The
sink pointoccurs on the/devsapi route:At the end of the above code snippet,
sql += fmt.Sprintf(" WHERE username = '%s'", username),'%s'shows thatusernameis delivered to SQL statement without sanitized. If we could controlusernamevariable,then SQL injection could be exploited. Coincidentally there is no sanitization ofusernamewhen attacker register malformed account.The
source pointoccurs onusernameat/signupapi route.Meanwhile,
if !isAdminUsername(cfg, username){shows that only general username could trigger the SQL injection, that is good for attack.Proof of Concept
1.Create a docker environment locally, using the docker command recommended.
sudo docker run -it -p 5912:5912 -p 5913:5913 zhaojh329/rttys:latest2.Access the Web panel opened in http://ip:5913/, click
Sign upto register new user. Because it is a docker demo, we have to register aadminaccount firstly.3.After registered
adminusername, then attacker register a new malformed usernamexyz' union select username,password,3 from account--with any password likeSecurityTest4.Attacker logged in with username
xyz' union select username,password,3 from account--successfully, we could find that the password of admin and other users is showing, which is the result of exploit of SQL injection. As is showing belowThe text was updated successfully, but these errors were encountered: