A vulnerability was identified in Daptin 0.10.3. Affected by this vulnerability is the function goqu.L of the file server/resource/resource_aggregate.go of the component Aggregate API. The manipulation of the argument column/group/order leads to sql injection. The attack may be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Daptin 0.10.3 suffers from a critical SQL injection vulnerability in its Aggregate API, allowing attackers to remotely execute arbitrary SQL commands. This flaw, stemming from improper sanitization of user-supplied input within the goqu.L function, can lead to complete database compromise and data exfiltration.
Step 1: Payload Delivery: The attacker crafts a malicious payload containing SQL injection code. This payload is designed to manipulate the column, group, or order parameters of the Aggregate API endpoint.
Step 2: Request Submission: The attacker sends the crafted payload as part of an HTTP request to the vulnerable Aggregate API endpoint. The request targets the goqu.L function.
Step 3: Query Construction: The application receives the request and, due to the vulnerability, directly incorporates the attacker-supplied payload into the SQL query without proper sanitization.
Step 4: Query Execution: The database server executes the maliciously crafted SQL query. The injected code alters the intended behavior of the query.
Step 5: Data Exfiltration/Manipulation: Depending on the injected SQL code, the attacker can then exfiltrate sensitive data, modify existing data, or potentially gain remote code execution on the database server.
The vulnerability lies within the goqu.L function in server/resource/resource_aggregate.go of Daptin 0.10.3. This function is responsible for handling column, group, and order parameters within the Aggregate API. The root cause is the lack of proper input validation and sanitization of user-controlled input used to construct SQL queries. Specifically, the application directly incorporates user-provided values for column, group, or order parameters into the SQL query without escaping special characters or validating the input against a whitelist. This allows an attacker to inject malicious SQL code, such as adding additional WHERE clauses, modifying existing queries, or executing arbitrary commands through the database.