SQL Injection - snoopysecurity/dvws-node GitHub Wiki

Introduction

SQL injection is a vulnerability which allows an attacker to modify queries that an application makes to its database via user input. This could be abused to view, modify, or delete application data which wasn't previously possible, or causing persistent changes to the application's content or behaviour.

Details

A blind SQL injection vulnerability exists within the passphrase generator area of the dvws application.

sqli1

The following API request is sent to get a passphrase

GET /api/v2/passphrase/foobar2 HTTP/1.1
Host: dvws.local
Accept: application/json, text/plain, */*
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiZm9vYmFyMiIsInBlcm1pc3Npb25zIjpbInVzZXI6cmVhZCIsInVzZXI6d3JpdGUiLCJ1c2VyOmFkbWluIl0sImlhdCI6MTU5MTQ1NTQ0NywiZXhwIjoxNTkxNjI4MjQ3LCJpc3MiOiJodHRwczovL2dpdGh1Yi5jb20vc25vb3B5c2VjdXJpdHkifQ.Ja26PD9TTtj3cpbMh--JJ0NDD-4r9gZUIEuat2jW6OQ
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4164.0 Safari/537.36 autochrome/red
Referer: http://dvws.local/passphrasegen.html
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Connection: close

An error can be observed when a single quote is inserted as part of the API URL.

sql2

SQL Injection can be further verified by inserting a SQL statement such as ' OR '1'='1 which results in the following response.

sqli3

Vulnerable Code

module.exports = {
  save: (req, res) => {
    res = set_cors(req, res)
    res.set('Cache-Control', 'no-store, no-cache, must-revalidate, private');
    if (req.body.passphrase === '' || req.body.reminder === '' ) {
      res.send('Passphrase or Reminder Empty');
    } else {
      let result = {}
      const token = req.headers.authorization.split(' ')[1]; // Bearer <token>
      const options = {
      expiresIn: '2d',
      issuer: 'https://github.com/snoopysecurity',
    };
    result = jwt.verify(token, process.env.JWT_SECRET, options);
    sql.query("CREATE TABLE IF NOT EXISTS `passphrases` (`username` varchar(200) NOT NULL,`passphrase` varchar(200) NOT NULL,`reminder` varchar(200) NOT NULL,`created_at` datetime NOT NULL DEFAULT CURRENT_TIMESTAMP)")
      
    var save_query = "INSERT INTO passphrases (username,passphrase,reminder) values ('" + result.user + "','" + req.body.passphrase + "','" + req.body.reminder + "')"
    sql.query(save_query, function (err, result) {
      if (err) {
        res.status(500);
        res.send(err);
        
      } else {
      res.send('Passphrase Saved Successfully');
    }
    });
  }
  },
⚠️ **GitHub.com Fallback** ⚠️