SQL Injection (Time-Based)

Software Support
, ,
1

Describe the issue or problem
How to fixed Sql injection

  1. URL:- ‘localhost/ojs/index.php/index/login’
  2. Click on 'username and password and captcha ’
    3 . Ojs version , OJS 3.1.1-4

screen.audit.png
screen.audit.png887×781 112 KB

PFA

  1. error :Payload Used:
    %27%2b((SELECT+1+FROM+(SELECT+SLEEP(25))A))%2b%27+%2f*+9808
    9e48-3a9f-4a56-a4c5-1b599701c710+*%2f

  2. Modify the Login request and insert the Time based SQL query
    (%27%2b((SELECT+1+FROM+(SELECT+SLEEP(25))A))%2b%27+%2f*+980
    89e48-3a9f-4a56-a4c5-1b599701c710+*%2f) in the modified request
    as shown.
    payloads
    PFA

1 Like
2

Hi @rajeshsingh,

I’ve responded to your private message. Please don’t disclose potential security issues on the public forum in the future; see the security document in the OJS GitHub repo.

Regards,
Alec Smecher
Public Knowledge Project Team

3

Thank You for reply.

I ojs journal audited. SQL injection issue which is server response after sleep() function is applied in username.

Recommendation : White list Input validation, Use of Prepared Statements (with Parameterized
Queries), Use of Stored Procedures, Escaping All User Supplied Input.
Reference : Note: Fix this issue throughout the application.
Payload Used:
%27%2b((SELECT+1+FROM+(SELECT+SLEEP(25))A))%2b%27+%2f*+9808
9e48-3a9f-4a56-a4c5-1b599701c710+*%2f

screen.audit.png
screen.audit.png887×781 112 KB

Reference (R2) : Modify the Login request and insert the Time based SQL query
(%27%2b((SELECT+1+FROM+(SELECT+SLEEP(25))A))%2b%27+%2f*+980
89e48-3a9f-4a56-a4c5-1b599701c710+*%2f) in the modified request
as shown.

![payloads|459x309](upload://xVEekYKDS6gxn3m2gvtyPpETUCd.jpeg

PFA

Please Guide me where to chnaged.

1 Like
4

Hi @rajeshsingh,

OJS 3.1.x is no longer supported. However, I have attempted to replicate this locally on a 3.1.x installation and failed.

The OJS codebases uses either ADODB (older versions) or Laravel’s database toolset (newer versions) to manage database queries, and both provide tools for parameter binding to avoid SQL injections. In OJS 3.1.1, this is done for the login query and username parameter in lib/pkp/classes/user/PKPUserDAO.inc.php in the getByUsername function:

$result = $this->retrieve(
    'SELECT * FROM users WHERE username = ?' . ($allowDisabled?'':' AND disabled = 0'),
    array($username)
);

The $username parameter is bound to the query using ADODB’s toolset, not with string concatenation, so it should be protected against SQL injections.

I suspect the installation you’ve noted has been modified somehow to use unsafe string concatenations.

Regards,
Alec Smecher
Public Knowledge Project Team

5

Thanks For Your Reply
ojs version 3.1.1.4

One Vulnerabilities: No Rate Limiting

User multiple time password Reset .i want User Restrict password change Limit Like 5 time 10 time etc.
Please help me

Refrence :-

no rating limit
no rating limit720×578 48.2 KB

6

Hi @rajeshsingh,

That’s not related to the topic of this thread (time-based SQL injection); to help keep the forum organized, could you post other subjects as new topics?

Thanks,
Alec Smecher
Public Knowledge Project Team

7

This topic was automatically closed after 10 days. New replies are no longer allowed.