Skip to content

Player Polls SQL Injection

High
Amelia0010 published GHSA-xrvw-4jpf-cf4p Oct 19, 2019 · 1 comment

Package

No package listed

Affected versions

e2f428c9c8fd8fc31bcc8c3b0c71377cb8e57ca6

Patched versions

a97574860fa6a7b39b10103d32e9ca7ec2a819a9

Description

It's possible to execute an SQL Injection attack using the player polls functionality. this can be done by abusing Topic() and HREF's

On the live server we have poll ID 28 for the "Should clockcult be removed from rotation?", i'll be using this poll as an example.

Performing the exploit

Get your mob id by shift+ctrl clicking "Setup Character", this will open Internet Explorer with a url containing your Mob ID
Clear the chat box and enter this message byond:///?src=[];pollidshow=1 OR id=28
You should see a new window open with the poll results.
How it works
The raw input from the pollidshow field is passed straight into the SQL query with no input validation

How to fix
Add an is_num check to the pollidshow field before its inserted into the query.

This is just a small example where you could open any poll you like, this could be expanded upon though to allow an attacker to drop tables or give themselves permissions.

Severity

High

CVE ID

No known CVE

Weaknesses

No CWEs