Level 104
How is the search implemented in the StudentController; it looks like you have missed an opportunity to properly sanitise and parameterize the user-provided search text?
Oct 22, 2024
6
Level 2
I got sql injection attack for one of my routes in laravel
Hi guys, my routes are protected by spatie roles and permission. for example a route called student and protected by admin role as middleware. now the attacker tried to access this route and i got the following error through sentry. does it means he already has access to do the method in the controller ? because this method contains a scope search that was vulnerable for SQL injection.
PDOException: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'll reply to your query as soon as possible, but this can take up to 48 hours. Al' at line 1
File "/app/Http/Controllers/StudentController.php", line 44, in App\Http\Controllers\StudentController::index
->paginate()
File "/public/index.php", line 51
$response = $kernel->handle(
...
(69 additional frame(s) were not displayed)
Illuminate\Database\QueryException: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'll reply to your query as soon as possible, but this can take up to 48 hours. Al' at line 1 (SQL: select count(*)....
Level 2
@tykus yeah it was bad search implementation. But what i want to know did he pass the routes and has access to the method or no
Level 104
@demonz there was an attempt to execute the Eloquent query in the StudentController at line 44; how is it protected, can you share the route(s) that are mapped to the index action?
Level 2
@tykus this is the route
Route::get('student', [StudentController::class, 'index'])->name('student.index')->middleware(['auth','role:SuperAdmin']);
and this is the method inside the controller
public function index()
{
return Inertia::render('Student/Index', [
'filters' => Request::all('search', 'trashed'),
'students' => new StudentCollection(
Student::orderBy('created_at','desc')
->with('user')
->filter(Request::only('search', 'trashed'))
->paginate()
->appends(Request::all())
),
]);
}
and this is the scope search
public function scopeFilter($query, array $filters)
{
$query->when($filters['search'] ?? null, function ($query, $search) {
$query->where(function ($query) use ($search) {
$query->whereRaw("CONCAT(first_name, ' ', second_name, ' ', last_name) LIKE '%{$search}%'"); // sql injection
->orWhereHas('user', function ($query) use ($search) {
$query->where('email', 'like', '%'.$search.'%');
})
->orWhere('mobile', 'like', '%'.$search.'%')
});
})->when($filters['trashed'] ?? null, function ($query, $trashed) {
if ($trashed === 'with') {
$query->withTrashed();
} elseif ($trashed === 'only') {
$query->onlyTrashed();
}
});
}
the issue in here , how did he tried to use this method even that it's protected by middleware admin role ? does it mean he already has access to admin role for example using stolen token ? or this exception is normal when someone try to visit a route he doesn't has access to.
Level 104
@demonz the middleware is intended to prevent access to the Route's action before it is executed, so auth and/or role middleware have been satisfied in this case, unless there is another unprotected route that delegates to StudentController@index?
Why do you think this action was malicious; do you know that it was not the SuperAdmin performing the action?
Aside, your whereRaw syntax does not parameterized the search, but you can modify it:
$search = "%{$search}%";
$query->whereRaw("CONCAT(first_name, ' ', second_name, ' ', last_name) LIKE ?", [
$search]);
2 likes
Level 2
@tykus it seems I was overthinking and it's not a sql injection attack haha. i guess the admin wrote a suspicious a paragraph in the search which made me think the hacker passed the route middleware LOL. anyway thank you bro.
2 likes
Please or to participate in this conversation.