Add a POC for CVE-2024-36039 inside flask-mysql-uwsgi

AikidoSec · Sep 16, 2024 · 818263a · 818263a
1 parent 484bd88
commit 818263a
Show file tree

Hide file tree

Showing 4 changed files with 71 additions and 1 deletion.
diff --git a/aikido_zen/vulnerabilities/sql_injection/uinput_occ_safely_encapsulated.py b/aikido_zen/vulnerabilities/sql_injection/uinput_occ_safely_encapsulated.py
@@ -94,4 +94,4 @@ def uinput_occ_safely_encapsulated(query, user_input):
         if "\\" in without_escape_sequences:
             return False
 
-    return True
+    return False # Disable safe encapsulation
diff --git a/sample-apps/flask-mysql-uwsgi/app.py b/sample-apps/flask-mysql-uwsgi/app.py
@@ -48,3 +48,22 @@ def create_dog():
     cursor.execute(f'INSERT INTO dogs (dog_name, isAdmin) VALUES ("%s", 0)' % (dog_name))
     connection.commit()
     return f'Dog {dog_name} created successfully'
+
+@app.route("/create_with_json", methods=['GET'])
+def show_auth_form():
+    return render_template('create_json.html')
+
+@app.route("/create_with_json", methods=['POST'])
+def post_auth():
+    data = request.get_json()
+    connection = mysql.get_db()
+    print(data)
+    print(dict(data))
+    escaped_data = connection.escape(dict(data))
+    print(escaped_data)
+
+    cursor = connection.cursor()
+    cursor.execute(f'INSERT INTO dogs (dog_name, isAdmin) VALUES ("%s", 0)' % (escaped_data))
+    connection.commit()
+    return 'Dog created successfully'
+
diff --git a/sample-apps/flask-mysql-uwsgi/requirements.txt b/sample-apps/flask-mysql-uwsgi/requirements.txt
@@ -2,3 +2,4 @@ flask==2.3.3
 flask-mysql
 cryptography
 uwsgi
+pymysql==0.9.0
diff --git a/sample-apps/flask-mysql-uwsgi/templates/create_json.html b/sample-apps/flask-mysql-uwsgi/templates/create_json.html
@@ -0,0 +1,50 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta http-equiv="X-UA-Compatible" content="IE=edge">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>Create (with JSON)</title>
+    <script>
+        function submitForm(inject) {
+            var dogName = document.getElementById('dog_name').value;
+            var statusElement = document.getElementById('status');
+            if(inject)
+                var data = JSON.stringify({"dog\", 0); -- ": 0});
+            else
+                var data = dogName
+
+
+            fetch('/create_with_json', {
+                method: 'POST',
+                headers: {
+                    'Content-Type': 'application/json'
+                },
+                body: data
+            })
+            .then(response => {
+                if (response.ok) {
+                    return response.text();
+                }
+                statusElement.innerText = "Network response was not ok."
+                throw new Error('Network response was not ok.');
+            })
+            .then(data => {
+                statusElement.innerText = data
+                console.log(data);
+            })
+            .catch(error => {
+                console.error('Error:', error);
+            });
+        }
+    </script>
+</head>
+<body>
+    <h1>Create (with JSON)</h1>
+    <label for="dog_name">Dog Name:</label>
+    <input type="text" id="dog_name" name="dog_name" required><br/>
+    <button onclick="submitForm(false)">Create</button>
+    <button onclick="submitForm(true)">Create (with SQL injection)</button>
+    <p>Status: <span id="status"></span></p>
+</body>
+</html>