Description

An administrator user can use the inheritableSegments feature to execute his own blind SQL queries.

Proof of Concept

The vulnerable php code is in src/Controller/Admin/SegmentAssignmentController.php, on method inheritableSegments:

The parameter type is not escaped and is added on the SQL query without using prepared statements. This leads to a SQL Injection on this parameter.

The query that is being executed is similar to this:

SELECT 'parentId' FROM 'TYPE + s' WHERE 'id'=PARAMETRIZED_ID

We can see it in the following screenshot, where we are printing the $parentIdStatement variable on the HTTP Response for debugging purposes.

In that example, we introduce the type=document and the query is appending an S and searching on documents table. For that reason, in order to get a working SQL Injection, we need to introduce an existing and valid table, like documents. As MySQL supports stacked queries, we can use them to execute any query we desire on database. We have to take care of the last part of the query + s' WHERE 'id'=PARAMETRIZED_ID.

For that reason, we can build a query like this:

SELECT 'parentId' FROM 'documents'; MALICIOUS_SQL_QUERY; SELECT 1 FROM 'documents' WHERE 'id'=PARAMETRIZED_ID` 

This will run 3 SQL queries on database:

1. SELECT 'parentId' FROM 'documents'
2. MALICIOUS_SQL_QUERY
3. SELECT 1 FROM 'documents' WHERE 'id'=PARAMETRIZED_ID

With this, we could run our malicious queries without errors. In order to achieve this, we must inject the following crafted payload on type parameter:

documents`; MALICIOUS_SQL_QUERY; SELECT 1 FROM `document

This will raise an error on our response, because parameter type is used on line 62, after running the query against DB.

However, as we can see, our malicious query is executed.

That’s why this SQL Injection is blind, but we can insert, edit or delete any data on DB and we also can obtain data with time or error based queries.