SQL Injection vulnerability in laravel-query-builder
The popular package: Laravel-query-builder has released a new security update fixing a serious SQL Injection.laravel-query-builder allows developers to filter, sort and include eloquent (Laravel ORM) relations based on a request. The
QueryBuilder used in this package extends Laravel’s default Eloquent builder.
- Attack Risk: Critical / Remote
- Vulnerability: SQL Injection
- Vendor: Spatie/laravel-query-builder
- Language: PHP
- Patched version: 1.16.1 / 1.17.1
Due to the way Laravel builder parse the string to query, the hacker can leverage this to attack the application with SQL Injection attack See the official advisory here
The package is parsing the urls to add some filters to queries.
For example you want to sort the articles by title:
and you may use a code like below to auto sort by the package
use Spatie\QueryBuilder\QueryBuilder; $articles = QueryBuilder::for(Article::class)->get();
This will be translated into:
And the underlined SQL query will be:
select * from `articles` order by `title` asc
Till now nothing wrong , but the hacker can take advantage of this transformation to preform SQL Injection attack on your database.
The hacker will change the url to this:
Guess what! because Laravel supports queries in JSON fields, it can guess that you want to query json “title->” so it replaces -> with JSON MySQL functions and here the hacker closes the functions brackets “))” and add his injected sql.
Here is the final SQL query will look like
select * from articles order by json_unquote(json_extract(title, '$.""'))#injectedSQL"')) asc
And now, instead of injectedSQL comment, hacker can insert his SQL Injection payload!
- If you use Laravel 5.6, 5.7 or 5.8 upgrade Laravel-query-builder to v1.17.1.
- If you use Laravel 5.5 upgrade the package to v1.16.1.