SQL Injection in Users Login Log

[abmatheus]

Hello, I've identified an SQL Injection vulnerability in the Users Login Log functionality.

Below is shown a normal request sent to the functionality.

And here is a request with a time-based payload, where one can note that the request takes a while to process due to sleep().

This can be automated with the SQLmap tool by saving the request to a text file (request.txt for example) and running the following command:

sqlmap -r request.txt --current-db --current-user

From what I could understand, the affected code seems to be the following, in the users_login_log.php file.

Code: Select all

$where_sql = '';
		
foreach($_POST['filters'] as $filter)
{
	if(strlen($filter['value'])>0)
	{
		switch($filter['name'])
		{					
			case 'type':
				$where_sql .= " and is_success='" . $filter['value'] . "'";
				break;
			case 'users_id':
				$where_sql .= " and users_id='" . $filter['value'] . "'";
				break;
	
		}
	}
}
							
$listing_sql = "select * from app_users_login_log where id>0 {$where_sql} order by date_added desc";
$listing_split = new split_page($listing_sql,'users_login_log_listing','',CFG_APP_ROWS_PER_PAGE);
$items_query = db_query($listing_split->sql_query);

Please let me know if you need any additional information or assistance.

[support]

To find any XSS, SQL Injection etc, please login as not admin user. I did not add any protection for admin user. Because admin can add own PHP, JS, HTML code for app.

[abmatheus]

I can't quite grasp your point. This is not related to PHP, JS, or HTML in any way?

If this functionality were specifically designed to run database queries (which doesn't seem to be the case here), then maybe it would make sense to say it's a feature... and, in any case, a sandbox would be advised anyway.

There are similar scenarios on other systems (e.g. WordPress) that you could check to learn about it. But anyway, I completely understand if you are not willing to fix this or other vulnerabilities. Have a nice week ahead.