detailed explanation of laravel 5.8 sql injection vulnerability

Posted by fierce at 2020-03-02


Recently, the white hat Security Research Institute found that laravel exposed a SQL injection vulnerability. Laravel has many users around the world. The framework is very popular in foreign countries, and the number of foreign users is much larger than that of domestic users. Of course, there are also large domestic enterprises using the framework. The SQL injection vulnerability exposed this time is not very general and requires certain conditions. Refer to the following analysis for details. See the link at the bottom for the original description of the official blog.

Distribution situation

At present, the latest data of fofa system shows that there are 368610 open laravel services in the world.

The national distribution is as follows:

Vulnerability details

The vulnerability lies in the form validation function of laravel. The vulnerability function is ignore(), and the vulnerability file is located in / vendor / laravel / ramework / SRC / illuminate / validation / rules / unique. PHP. Sometimes developers want to ignore the specified fields and field values in the field uniqueness verification, and usually call the ignore method of the rule class. This method has two parameters, the first is the field value, the second is the field name. When the field name is empty, the default field name is "Id". If the user can control the parameter value of ignore () method, SQL injection vulnerability will occur.

To view the ignore method:

As you can see from the code, the ignore () method does not do any filtering on the parameters passed in. Assigned directly to the object property.

Build test environment:

Here I use the error message to view the executed SQL statements and send the following requests:

You can see that the injection operation was performed successfully.

If preprocessing, usually only the field value will be processed, but not the field name. Therefore, when PDO is enabled, SQL statements separated by semicolons can also be used for multi statement queries, resulting in SQL injection.



Influence version

Version 5.8.5 and below

Repair mode

The latest version has been officially released. Please go to GitHub to download the update:

Reference resources amework/pull/27940?fbclid=IwAR3fn47kuNEE5twXcJb7ty1DXJuMIPmH-xVSrd17wuAUeOAITh4t5a7hfuE#discussion_r267180031

White hat will continue to follow up the loophole. Follow the link

Baimaohui is engaged in information security, focusing on security big data and enterprise Threat Intelligence.

Company products: fofa - Cyberspace Security search engine, foeye - cyberspace retrieval system, nosec - security information platform.

To provide you with: cyberspace mapping, enterprise asset collection, enterprise Threat Intelligence, emergency response services.