The API endpoint /AuthenticateUser contains a SQL Injection into the SQLite3 Database that is handling the authentication process of the SystemUsers. In order to exploit this vulnerability the attacker need to possess a valid API key, which can either be leaked through the XSS from an End User Device, or given as a part of the UAV Operator ability which broadcasts the GPS and Video feed of a UAV-Drone.
From the SQL Injection it is possible to list all the Username, UsedID and Clear-Text passwords in the database.
Proof of Concept
Posting the follwing snippet into a web browsers console will trigger the SQL Injection and return the name and password for each user in the SystemUsers table.
The API endpoint
/AuthenticateUser
contains a SQL Injection into the SQLite3 Database that is handling the authentication process of the SystemUsers. In order to exploit this vulnerability the attacker need to possess a valid API key, which can either be leaked through the XSS from an End User Device, or given as a part of the UAV Operator ability which broadcasts the GPS and Video feed of a UAV-Drone.From the SQL Injection it is possible to list all the Username, UsedID and Clear-Text passwords in the database.
Proof of Concept
Posting the follwing snippet into a web browsers console will trigger the SQL Injection and return the name and password for each user in the SystemUsers table.
Will return the following response:
![sqli_response](https://user-images.githubusercontent.com/14073684/154236898-a613d20a-92e3-4ab2-88de-95f5f40c18d0.jpg)
Which clearly shows the database results in clear-text.