Korzh EasyQuery SQL Injection Vulnerability in Query Builder UI

A SQL injection vulnerability has been identified in Korzh EasyQuery versions through 7.4.0. The issue arises in the Query Builder UI component, specifically within the file '/api/easyquery/models/nwind/fetch'. This vulnerability allows remote attackers to manipulate SQL queries by injecting arbitrary SQL commands, potentially bypassing restrictions and gaining unauthorized access to the underlying database.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can execute arbitrary SQL commands against the application's database. This could lead to unauthorized data access, data manipulation, or in some cases, executing commands on the server where the database is hosted.

Reproduction

The vulnerability can be reproduced using the official Korzh EasyQuery example applications available on GitHub. In the .NET Core 'AdvancedSearch' example project with the default SQLite backend, a request can be made to the '/api/easyquery/models/nwind/fetch' endpoint. The injected SQL command, such as 'union select sqlite_version()', will be executed, demonstrating the SQL injection. Similarly, in the .NET Framework version of the 'AdvancedSearch' project with the default MSSQL backend, a request to the same endpoint with an injection like 'union select @@version' will execute the injected SQL, confirming the vulnerability.