Summary The parameter add_links in the API /json/add_package is vulnerable to SQL Injection. SQL injection vulnerabilities can lead to sensitive data leakage. Details Affected file:https://github.com/pyload/pyload/blob/develop/src/pyload/core/database/file_database.py#L271 Affected code: “python @style.queue def update_link_info(self, data): """ data is list of tuples (name, size, status, url) """ self.c.executemany( "UPDATE links SET name=?, size=?, status=? WHERE url=? AND status IN (1,2,3,14)", data, ) ids = [] statuses = "','".join(x[3] for x in data) self.c.execute(f"SELECT id FROM links WHERE url IN ('{statuses}')") for r in self.c: ids.append(int(r[0])) return ids ““ statuses is constructed from data, and data is the value of the add_links parameter entered by the user through /json/add_packge. Because{statuses}` is directly spliced into the SQL statement, it leads to the SQL injection vulnerability. Vulnerability Chain xml josn_blueprint.py#add_package src/pyload/core/api/__init__.py#add_package src/pyload/core/managers/file_manager.py#add_links src/pyload/core/threads/info_thread.py#run src/pyload/core/threads/info_thread.py#update_info src/pyload/core/managers/file_manager.py#update_file_info src/pyload/core/database/file_database.py#update_link_info PoC “`python import requests if name == "main": url =…Read More
GHSA-PWH4-6R3M-J2RF PyLoad vulnerable to SQL Injection via API /json/add_package in add_links parameter
