You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
https://github.com/hhyo/Archery/blob/v1.8.5/sql/slowlog.py#L167
The checksum parameter of the report interface is not escaped, and it is pass into the SQL statement for execution, results in SQL injection. Any logged-in user can execute SQL injection and steal other user's django session_key from database and can get DBA role permission.
https://github.com/hhyo/Archery/blob/v1.8.5/sql/db_diagnostic.py#L88
The parameter ThreadIDs of the kill_session interface is not converted to int type, resulting in SQL injection, and because the result of the first SQL output is used as SQL statement, it will run again in the MySQL instance , results in Second Order SQL injection, can execution of arbitrary SQL statements, and users in the DBA role can bypass the SQL review process to execute arbitrary SQL statements.
预期外的结果
SQL injection without priveleges and SQL injection modify any data bypass the SQL review restrict. Any login user can combine these vulns to execute arbitrary SQL statements without restriction or logging.
日志文本
No response
版本
v1.8.5
部署方式
Docker
是否还有其他可以辅助定位问题的信息?比如数据库版本等
No response
The text was updated successfully, but these errors were encountered:
重现步骤
https://github.com/hhyo/Archery/blob/v1.8.5/sql/slowlog.py#L167
The checksum parameter of the report interface is not escaped, and it is pass into the SQL statement for execution, results in SQL injection. Any logged-in user can execute SQL injection and steal other user's django session_key from database and can get DBA role permission.
https://github.com/hhyo/Archery/blob/v1.8.5/sql/db_diagnostic.py#L57
The parameter ThreadIDs of the create_kill_session interface is not converted to int type, resulting in SQL injection. Users in the DBA role can bypass query restrictions.
https://github.com/hhyo/Archery/blob/v1.8.5/sql/db_diagnostic.py#L88
The parameter ThreadIDs of the kill_session interface is not converted to int type, resulting in SQL injection, and because the result of the first SQL output is used as SQL statement, it will run again in the MySQL instance , results in Second Order SQL injection, can execution of arbitrary SQL statements, and users in the DBA role can bypass the SQL review process to execute arbitrary SQL statements.
预期外的结果
SQL injection without priveleges and SQL injection modify any data bypass the SQL review restrict. Any login user can combine these vulns to execute arbitrary SQL statements without restriction or logging.
日志文本
No response
版本
v1.8.5
部署方式
Docker
是否还有其他可以辅助定位问题的信息?比如数据库版本等
No response
The text was updated successfully, but these errors were encountered: