SQL injection exists in the camptocamp/terraboard.
Among all APIs there is an API routed to /api/search/attribute
, whose corresponding method is api.SearchAttribute. In the api.SearchAttribute method, the program takes the request parameters and passes them into the db.SearchAttribute method. In the db.SearchAttribute method, when the request parameter tf_version
or lineage_value
is set, the program executes up to line 373 or 377. In these two lines, the program is dynamically splicing strings, which may lead to SQL injection.
As an example, part of the code on line 373 is as follows.
fmt.Sprintf("states.tf_version LIKE '%s'", fmt.Sprintf("%%%s%%", v))
where the variable v
is the request parameter tf_version
, which is user controllable. When the variable v
is the following string.
v := "' OR pg_sleep(10) OR states.tf_version LIKE '%"
The sql statement will then change to "states.tf_version LIKE '%' OR pg_sleep(10) OR states.tf_version LIKE '%%'"
, This will cause pgsql to execute the pg_sleep
function. Replacing pg_sleep
with another statement will lead to more serious consequences.
Try executing the following curl
command which should have the effect of the request taking 10 seconds to get a response. Where $DEMO_URL
is the address and port of the APP.
curl "http://${DEMO_URL}/api/search/attribute?tf_version='+OR+pg_sleep(10)+OR+states.tf_version+LIKE+'%"