CVE-2022-38868: Authenticated SQL injection in seccome/ehoney · Issue #59 · seccome/Ehoney

Summary

api/v1/protocol/set and api/v1/images/set API endpoints are vulnerable to authenticated SQL injection.

Affected version: ehoney v2.0.0

Analysis

1. For api/v1/protocol/set, the sink point occurs on the models/protocol.go

//models/protocol.go

var p = "%" + payload.Payload + "%"
sql := fmt.Sprintf("select id, creator, status, create_time, protocol_type, deploy_path, default_flag, min_port, max_port from protocols where CONCAT(id, creator, create_time, protocol_type, deploy_path, min_port, max_port) LIKE '%s' order by create_time DESC", p)

2. For api/v1/images/set, the sink point occurs on the models/images.go

//models/images.go

var p = "%" + payload.Payload + "%"
sql := fmt.Sprintf("select id, image_name, image_address, image_port, image_type, default_flag from images where CONCAT(image_name, image_address, image_port, image_type) LIKE '%s'", p)

As you can see on the above code snippets, payload.Payload is delivered to SQL statement without sanitized, and payload.Payload could be user-controlled, source point lies on Payload parameter in these two api endpoint, then SQL injection arises.

Proof of Concept

Take Ehoney’s demo environment as example, and use api/v1/protocol/set endpoint to prove the SQL injection, api/v1/images/set is similar.

After attacker logged in with admin/admin123, he could intercept the requests and inject into malicious payload to achieve SQL injection.
Payload:
TOM’ UNION ALL SELECT NULL,NULL,NULL,CONCAT(CONCAT('‘,database()),’'),NULL,NULL,NULL,NULL,NULL-- a

As is showing below, attacker uses BurpSuite to perform attack, the server respond to us with database name: sec_ehoneypot