From 818263abcee412201bd21b19f70659f3afe55194 Mon Sep 17 00:00:00 2001
From: Wout Feys <wout@aikido.dev>
Date: Mon, 16 Sep 2024 11:36:32 +0200
Subject: [PATCH] Add a POC for CVE-2024-36039 inside flask-mysql-uwsgi

---
 .../uinput_occ_safely_encapsulated.py         |  2 +-
 sample-apps/flask-mysql-uwsgi/app.py          | 19 +++++++
 .../flask-mysql-uwsgi/requirements.txt        |  1 +
 .../templates/create_json.html                | 50 +++++++++++++++++++
 4 files changed, 71 insertions(+), 1 deletion(-)
 create mode 100644 sample-apps/flask-mysql-uwsgi/templates/create_json.html

diff --git a/aikido_zen/vulnerabilities/sql_injection/uinput_occ_safely_encapsulated.py b/aikido_zen/vulnerabilities/sql_injection/uinput_occ_safely_encapsulated.py
index 035f272f..003939fc 100644
--- a/aikido_zen/vulnerabilities/sql_injection/uinput_occ_safely_encapsulated.py
+++ b/aikido_zen/vulnerabilities/sql_injection/uinput_occ_safely_encapsulated.py
@@ -94,4 +94,4 @@ def uinput_occ_safely_encapsulated(query, user_input):
         if "\\" in without_escape_sequences:
             return False
 
-    return True
+    return False # Disable safe encapsulation
diff --git a/sample-apps/flask-mysql-uwsgi/app.py b/sample-apps/flask-mysql-uwsgi/app.py
index 28158058..d3093d31 100644
--- a/sample-apps/flask-mysql-uwsgi/app.py
+++ b/sample-apps/flask-mysql-uwsgi/app.py
@@ -48,3 +48,22 @@ def create_dog():
     cursor.execute(f'INSERT INTO dogs (dog_name, isAdmin) VALUES ("%s", 0)' % (dog_name))
     connection.commit()
     return f'Dog {dog_name} created successfully'
+
+@app.route("/create_with_json", methods=['GET'])
+def show_auth_form():
+    return render_template('create_json.html')
+
+@app.route("/create_with_json", methods=['POST'])
+def post_auth():
+    data = request.get_json()
+    connection = mysql.get_db()
+    print(data)
+    print(dict(data))
+    escaped_data = connection.escape(dict(data))
+    print(escaped_data)
+
+    cursor = connection.cursor()
+    cursor.execute(f'INSERT INTO dogs (dog_name, isAdmin) VALUES ("%s", 0)' % (escaped_data))
+    connection.commit()
+    return 'Dog created successfully'
+
diff --git a/sample-apps/flask-mysql-uwsgi/requirements.txt b/sample-apps/flask-mysql-uwsgi/requirements.txt
index 12fbe9b8..557bf035 100644
--- a/sample-apps/flask-mysql-uwsgi/requirements.txt
+++ b/sample-apps/flask-mysql-uwsgi/requirements.txt
@@ -2,3 +2,4 @@ flask==2.3.3
 flask-mysql
 cryptography
 uwsgi
+pymysql==0.9.0
diff --git a/sample-apps/flask-mysql-uwsgi/templates/create_json.html b/sample-apps/flask-mysql-uwsgi/templates/create_json.html
new file mode 100644
index 00000000..22a54d6c
--- /dev/null
+++ b/sample-apps/flask-mysql-uwsgi/templates/create_json.html
@@ -0,0 +1,50 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta http-equiv="X-UA-Compatible" content="IE=edge">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>Create (with JSON)</title>
+    <script>
+        function submitForm(inject) {
+            var dogName = document.getElementById('dog_name').value;
+            var statusElement = document.getElementById('status');
+            if(inject)
+                var data = JSON.stringify({"dog\", 0); -- ": 0});
+            else
+                var data = dogName
+
+
+            fetch('/create_with_json', {
+                method: 'POST',
+                headers: {
+                    'Content-Type': 'application/json'
+                },
+                body: data
+            })
+            .then(response => {
+                if (response.ok) {
+                    return response.text();
+                }
+                statusElement.innerText = "Network response was not ok."
+                throw new Error('Network response was not ok.');
+            })
+            .then(data => {
+                statusElement.innerText = data
+                console.log(data);
+            })
+            .catch(error => {
+                console.error('Error:', error);
+            });
+        }
+    </script>
+</head>
+<body>
+    <h1>Create (with JSON)</h1>
+    <label for="dog_name">Dog Name:</label>
+    <input type="text" id="dog_name" name="dog_name" required><br/>
+    <button onclick="submitForm(false)">Create</button>
+    <button onclick="submitForm(true)">Create (with SQL injection)</button>
+    <p>Status: <span id="status"></span></p>
+</body>
+</html>