إرسال #812192: QuantumNous new-api [Needs Manual Input] SQL Injection (CWE-89)المعلومات

عنوان	QuantumNous new-api [Needs Manual Input] SQL Injection (CWE-89)
الوصف	# Technical Details An unescaped LIKE injection vulnerability exists in the `model.SearchUserTopUps` and `model.SearchAllTopUps` functions. Authenticated users can pass raw SQL wildcard characters (such as `%` and `_`) into the `keyword` parameters of the `GET /api/user/topup/self` endpoint. Because these wildcard operators are completely unescaped before being concatenated into the GORM LIKE query string, attackers can manipulate the database's pattern-matching engine into evaluating massive Regex paths. By submitting many long and highly complex patterns, this vulnerability can result in severe CPU consumption and Slow SQL Denial of Service (DoS) conditions against the underlying database. # Vulnerable Code File: `model/topup.go` Method: `SearchUserTopUps` and `SearchAllTopUps` Why: When constructing the dynamic LIKE clauses, the application logic directly pads the user-supplied string with `%`: `like := "%%" + keyword + "%%" query = query.Where("trade_no LIKE ?", like)`. The underlying database evaluates characters like `_` and `%` as SQL expression control operators rather than string literals. If an attacker passes a payload like `%%%%%%%%%%%%%%%%_%%_%_%`, the database is forced to conduct complex combinatorial backtracking on string matching across rows. There is no ESCAPE character set or regex sanitizer deployed prior to string interpolation. # Reproduction 1. Save the `docker-compose.yml` which builds the vulnerable `new-api` application context. 2. Spin up the test environment: `docker compose up -d`. 3. Save the python script as `exploit.py`. The script registers a user, pays a top up, and replaces the last character of `trade_no` with an SQL single-character wildcard `_`. 4. Run the POC test script: `python3 exploit.py`. It evaluates if the input acted broadly as a wildcard regex instruction instead of a literal underscore match string, confirming wildcard evaluation. # Impact - This vulnerability permits authenticated bad actors to perform arbitrary string matching evaluations. - It results in application-wide slow down and exhaustion of database connections (Denial of Service). - Attackers can paralyze all operations referencing the database, effectively knocking the application offline.
المصدر	⚠️ https://gist.github.com/YLChen-007/cf501d0a66c81298b2f97e854f3813db
المستخدم	Eric-e (UID 97581)
ارسال	24/04/2026 02:15 PM (1 شهر منذ)
الاعتدال	22/05/2026 08:03 PM (28 days later)
الحالة	تمت الموافقة
إدخال VulDB	365252 [QuantumNous new-api حتى 0.12.1 self Endpoint model/topup.go SearchUserTopUps/SearchAllTopUps حقن SQL]
النقاط	20

التالي ▸نظرة عامة ◂ السابق

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!