| タイトル | QuantumNous new-api [Needs Manual Input] SQL Injection (CWE-89) |
|---|
| 説明 | # Technical Details
An unescaped LIKE injection vulnerability exists in the `model.SearchUserTopUps` and `model.SearchAllTopUps` functions. Authenticated users can pass raw SQL wildcard characters (such as `%` and `_`) into the `keyword` parameters of the `GET /api/user/topup/self` endpoint. Because these wildcard operators are completely unescaped before being concatenated into the GORM LIKE query string, attackers can manipulate the database's pattern-matching engine into evaluating massive Regex paths. By submitting many long and highly complex patterns, this vulnerability can result in severe CPU consumption and Slow SQL Denial of Service (DoS) conditions against the underlying database.
# Vulnerable Code
File: `model/topup.go`
Method: `SearchUserTopUps` and `SearchAllTopUps`
Why: When constructing the dynamic LIKE clauses, the application logic directly pads the user-supplied string with `%`: `like := "%%" + keyword + "%%" query = query.Where("trade_no LIKE ?", like)`. The underlying database evaluates characters like `_` and `%` as SQL expression control operators rather than string literals. If an attacker passes a payload like `%%%%%%%%%%%%%%%%_%%_%_%`, the database is forced to conduct complex combinatorial backtracking on string matching across rows. There is no ESCAPE character set or regex sanitizer deployed prior to string interpolation.
# Reproduction
1. Save the `docker-compose.yml` which builds the vulnerable `new-api` application context.
2. Spin up the test environment: `docker compose up -d`.
3. Save the python script as `exploit.py`. The script registers a user, pays a top up, and replaces the last character of `trade_no` with an SQL single-character wildcard `_`.
4. Run the POC test script: `python3 exploit.py`. It evaluates if the input acted broadly as a wildcard regex instruction instead of a literal underscore match string, confirming wildcard evaluation.
# Impact
- This vulnerability permits authenticated bad actors to perform arbitrary string matching evaluations.
- It results in application-wide slow down and exhaustion of database connections (Denial of Service).
- Attackers can paralyze all operations referencing the database, effectively knocking the application offline. |
|---|
| ソース | ⚠️ https://gist.github.com/YLChen-007/cf501d0a66c81298b2f97e854f3813db |
|---|
| ユーザー | Eric-e (UID 97581) |
|---|
| 送信 | 2026年04月24日 14:15 (1 月 ago) |
|---|
| モデレーション | 2026年05月22日 20:03 (28 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 365252 [QuantumNous new-api 迄 0.12.1 self Endpoint model/topup.go SearchUserTopUps/SearchAllTopUps SQLインジェクション] |
|---|
| ポイント | 20 |
|---|