ZeroNet icon indicating copy to clipboard operation
ZeroNet copied to clipboard
verified publisher icon HelloZeroNet

Potential SQL Injection

Open MustafaBilgici opened this issue 3 years ago • 7 comments

Step 1: Vulnerable Code to SQL INJECTION

  • ZeroNet version: latest
  • Operating system: all operating system

Step 2: Describe the problem:

The types of attacks that can be performed using SQL injection vary depending on the type of database engine. The attack works on dynamic SQL statements. A dynamic statement is a statement that is generated at run time using parameters password from a web form or URI query string. Vulnerable Code: https://github.com/HelloZeroNet/ZeroNet/blob/py3/plugins/OptionalManager/ContentDbPlugin.py line 126 is vulnerable to sql injection res = cur.execute("SELECT * FROM content WHERE size_files_optional > 0 AND site_id = %s" % site_id) an attacker can bypass like that "site_id OR malicious_sql_query#

How to prevent SQLI?

User input should never be trusted – It must always be sanitized before it is used in dynamic SQL statements. Stored procedures – these can encapsulate the SQL statements and treat all input as parameters. Prepared statements –prepared statements to work by creating the SQL statement first then treating all submitted user data as parameters. This has no effect on the syntax of the SQL statement. Regular expressions –these can be used to detect potential harmful code and remove it before executing the SQL statements. Database connection user access rights –only necessary access rights should be given to accounts used to connect to the database. This can help reduce what the SQL statements can perform on the server. Error messages –these should not reveal sensitive information and where exactly an error occurred. Simple custom error messages such as “Sorry, we are experiencing technical errors. The technical team has been contacted. Please try again later” can be used instead of display the SQL statements that caused the error.

Observed Results:

Expected Results:

  • SQL injection attack occurs when:

An unintended data enters a program from an untrusted source. The data is used to dynamically construct a SQL query

MustafaBilgici avatar Aug 30 '22 08:08 MustafaBilgici

site_id is not derived from user input https://github.com/HelloZeroNet/ZeroNet/blob/454c0b2e7e000fda7000cba49027541fbf327b96/plugins/OptionalManager/ContentDbPlugin.py#L120-L127

canewsin avatar Aug 30 '22 09:08 canewsin

yes but it's potential sql injection

MustafaBilgici avatar Aug 30 '22 10:08 MustafaBilgici

Could you provide some site code that reproduce such issue ?

canewsin avatar Aug 30 '22 10:08 canewsin

U can check below links https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html https://owasp.org/www-community/attacks/SQL_Injection https://blog.sqreen.com/preventing-sql-injections-in-python/

MustafaBilgici avatar Aug 30 '22 10:08 MustafaBilgici

You can Google, I can Google, yes, that's beside the point. As ZeroNet is a privacy- and security-related project, I'm certain nofish knew what OWASP is and attempted to protect ZeroNet users from XSS, RCE, SQLi, and other common vulnerabilities.

So: does this code smell? Perhaps. Is it vulnerable? No, because site_id is an integer, not a string. As development most happens in forks nowadays and deviating from the original code base might not be the brightest idea, I'd drop this and only fix bugs that lead to actual vulnerabilities.

purplesyringa avatar Aug 30 '22 13:08 purplesyringa

actually it' doesn't matter that site_id is integer or string in sql injection :) @imachug

MustafaBilgici avatar Aug 31 '22 11:08 MustafaBilgici

I'm waiting for a PoC exploit then, and I'll be shocked as hell if you succeed.

purplesyringa avatar Sep 01 '22 08:09 purplesyringa