FastAdmin SQL Injection Vulnerability in Backend Controller

A time-based blind SQL injection vulnerability exists in FastAdmin versions through 1.7.0.20250506. The issue is located in the Backend controller's selectpage() method, where the custom parameter's field name is not properly sanitized before being used in database queries. This lack of validation allows authenticated backend users to inject arbitrary SQL commands, potentially leading to the extraction of sensitive database information such as usernames, password hashes, and database structure details.

Impact

Exploitation of this vulnerability allows authenticated users to inject SQL commands, with the potential to extract sensitive information from the database, including usernames, password hashes, and other confidential data. Additionally, this vulnerability could be used to escalate privileges by obtaining admin credentials.

Reproduction

To reproduce this vulnerability, log into the FastAdmin admin panel with a valid backend account. Once authenticated, send a request to the selectpage() method in the Backend controller, including a custom parameter that contains a crafted SQL injection payload. The injection can be verified by observing a delay in the response time, indicating that the injected SQL command was executed.