CVE-2023-42405: [BUG] SQL injection vulnerability in list() method across multiple controllers · Issue #79 · fit2cloud/rackshift

Description

Multiple SQL injection vulnerabilities in RackShift v1.7.1 allow attacker to execute arbitrary SQL commands via the sort parameter to taskService.list(), bareMetalService.list(), switchService.list() and so on.

Detail

Multiple controllers have SQL injection vulnerabilities, and I will use TaskController as an example to provide a detailed explanation. The list() method in TaskController.java accepts user-supplied POST request body parameters, which are then passed to taskService.list() for processing.

The TaskDTO definition includes a “sort” parameter.

Upon further investigation in TaskService.java, it was found that the parameters are ultimately handled by extTaskMapper.list() in ExtTaskMapper.java.

Upon further inspection of ExtTaskMapper.xml, it was discovered that when the “sort” parameter is not empty, it is directly concatenated into the SQL query as "order by ${sort}", without any validation or sanitization. This results in a SQL injection vulnerability.

Payload

Type: error-based
Title: MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)
Payload: {"searchKey":"1","sort":"(UPDATEXML(2546,CONCAT(0x2e,0x717a6b7171,(SELECT (ELT(2546=2546,1))),0x7171787871),9622))"}

Type: time-based blind
Title: MySQL > 5.0.12 time-based blind - Parameter replace (heavy query - comment)
Payload: {"searchKey":"1","sort":"(SELECT COUNT(*) FROM INFORMATION_SCHEMA.COLUMNS A, INFORMATION_SCHEMA.COLUMNS B, INFORMATION_SCHEMA.COLUMNS C WHERE 0 XOR 1)"}

PoC

Suggestion

Define a whitelist of “sort” parameter values and validate incoming “sort” parameters against the whitelist at the Java code.