This can be exploited to execute arbitrary SQL commands with the privileges of the user running the application or to delete, edit, or disable certain system tables.
We outline the vulnerability below and provide a proof of concept to demonstrate the issue.
!--- SQL injection vulnerability in OpenCATS --->
The vulnerability was discovered by Antonio D’Andrea via fuzzing and was reported to the OpenCATS team on March 15th, 2018. The researcher was credited with responsibly disclosing the vulnerability and received a response from the OpenCATS bug bounty program.
The vulnerability was patched in version 0.9.6.
SQL Injection in OpenCATS - Proof of Concept
The vulnerability is an SQL injection in the 'Indexes' table.
This can be exploited to execute arbitrary SQL commands with the privileges of the user running the application or to delete, edit, or disable certain system tables.
Payload:
Select * from Indexes where (SELECT COUNT(*),CONCAT((SELECT 1 FROM DUAL),CHAR(4)));
This allows us to view all indexes and then select all columns by executing a count with a value of 1 (cannot select from more than one index) and concatenate it with another column. This will then return all columns except for the last two ones.
SQL injection in OpenCATS code
The vulnerable code is located inside the "getRegex" function of the "models.py" file. The vulnerable line of code is:
return self._schema.fields_dict["name"]
This line translates to this SQL query:
In order for this query to be successful, the user must have access to the database (or any other application that uses the same database). This vulnerability can be exploited to execute arbitrary SQL commands with the privileges of the user running the application or to delete, edit, or disable certain system tables.
How does SQL Injection work?
SQL injection is a type of attack that allows an attacker to execute arbitrary SQL queries with the privileges of the user running the application or to delete, edit, or disable certain system tables.
For example, if an application were vulnerable to SQL injection and an attacker were able to inject a string into the URL of the vulnerable application, they could potentially call any function that would allow them to execute arbitrary SQL queries with the privileges of the user running the application. This would allow attackers to gain access to functions from within their database such as printing sensitive information such as passwords.
This vulnerability can be exploited by injecting a single quote character (') followed by an out-of-bounds parameter into the URL for OpenCATS. A proof-of-concept exploit can be seen below:
Timeline
Published on: 10/19/2022 18:15:00 UTC
Last modified on: 10/20/2022 05:47:00 UTC