SQL Injection in galette/galette
Nov 8th 2021
Hi, I could find a SQL Injection when adding a user.
From OWASP : A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system.
Proof of Concept
From the administrator panel:
- Add a user and intercept the request
- In the
id_statusfield place the payload
(SELECT 1 FROM (SELECT(SLEEP(10)))a)-- -to perform a 10s sleep.
- Access to the database in read/write mode