Serious SQL Injection vulnerability in laravel-query-builder

1 min read

Serious SQL Injection vulnerability in laravel-query-builder

The popular package: Laravel-query-builder has released a new security update fixing a serious SQL-Injection vulnerability.

laravel-query-builder allows developers to filter, sort and include eloquent (Laravel ORM) relations based on a request. The QueryBuilder used in this package extends Laravel’s default Eloquent builder.

  • Attack Risk: Critical / Remote
  • Vulnerability: SQL Injection
  • Vendor: Spatie/laravel-query-builder
  • Language: PHP
  • Patched version: 1.16.1 / 1.17.1

Due to the way Laravel builder parse the string to query, the hacker can leverage this to attack the application with SQL Injection attack (more about sql-injection attack here), See the official advisory here

Technical Details

The package is parsing the urls to add some filters to queries.


For example you want to sort the articles by title:

https://example.com/articles?sort=title

and you may use a code like below to auto sort by the package

use Spatie\QueryBuilder\QueryBuilder; 
$articles = QueryBuilder::for(Article::class)->get();

This will be translated into:

Article::orderBy('title')->get();

And the underlined SQL query will be:

select * from `articles` order by `title` asc

Till now nothing wrong , but the hacker can take advantage of this transformation to preform SQL Injection attack on your database.

The hacker will change the url to this:

https://example.com/articles?sort=title->"%27))%23injectedSQL

Guess what! because Laravel supports queries in JSON fields, it can guess that you want to query json “title->” so it replaces -> with JSON MySQL functions and here the hacker closes the functions brackets “))” and add his injected sql.

Here is the final SQL query will look like

select * from articles order by json_unquote(json_extract(title, '$.""'))#injectedSQL"')) asc 

And now, instead of injectedSQL comment, hacker can insert his SQL Injection payload!

Remediation

  • If you use Laravel 5.6, 5.7 or 5.8 upgrade Laravel-query-builder to v1.17.1.
  • If you use Laravel 5.5 upgrade the package to v1.16.1.

Am I at Risk?

Shieldfy customers are already protected against SQL Injection attacks.
Regrading this specific issue, our dev team is currently working on fixing the auto detection this vulnerability.
If you are not a shieldfy user, give us a try “https://shieldfy.io” to prevent against future incident.

Leave a Reply

Your email address will not be published. Required fields are marked *