Nemcio/CyberPanel
1
0
Fork 0
mirror of https://github.com/usmannasir/cyberpanel.git synced 2025-12-15 12:59:42 +01:00
Code Issues Packages Projects Releases Wiki Activity

Enhance SQL query safety in mysqlUtilities.py

Browse Source 
- Updated SQL queries to use backticks around database and table names for improved safety and compatibility.
- Implemented escaping for user inputs in CREATE USER and SET PASSWORD statements to prevent SQL injection vulnerabilities.
- Ensured consistent use of safe variable handling across various database operations, including user creation and privilege grants.
This commit is contained in:
Master3395
2025-10-24 01:24:22 +02:00
parent 6e86ccc33f
commit e745d59a13
1 changed files with 53 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

88
plogical/mysqlUtilities.py
View File

@@ -129,7 +129,7 @@ class mysqlUtilities:
if dbcreate:
query = "CREATE DATABASE %s" % (dbname)
query = "CREATE DATABASE `%s`" % (dbname)
if os.path.exists(ProcessUtilities.debugPath):
logging.CyberCPLogFileWriter.writeToFile(query)
@@ -139,11 +139,15 @@ class mysqlUtilities:
## create user
if mysqlUtilities.REMOTEHOST.find('ondigitalocean') > -1:
safe_dbuser = dbuser.replace("'", "''")
safe_dbpassword = dbpassword.replace("'", "''")
query = "CREATE USER '%s'@'%s' IDENTIFIED WITH mysql_native_password BY '%s'" % (
dbuser, HostToUse, dbpassword)
safe_dbuser, HostToUse, safe_dbpassword)
else:
query = "CREATE USER '" + dbuser + "'@'%s' IDENTIFIED BY '" % (
HostToUse) + dbpassword + "'"
safe_dbuser = dbuser.replace("'", "''")
safe_dbpassword = dbpassword.replace("'", "''")
query = "CREATE USER '" + safe_dbuser + "'@'%s' IDENTIFIED BY '" % (
HostToUse) + safe_dbpassword + "'"
if os.path.exists(ProcessUtilities.debugPath):
logging.CyberCPLogFileWriter.writeToFile(query)
@@ -151,14 +155,14 @@ class mysqlUtilities:
cursor.execute(query)
if mysqlUtilities.RDS == 0:
cursor.execute("GRANT ALL PRIVILEGES ON " + dbname + ".* TO '" + dbuser + "'@'%s'" % (HostToUse))
cursor.execute("GRANT ALL PRIVILEGES ON `" + dbname + "`.* TO '" + dbuser + "'@'%s'" % (HostToUse))
if os.path.exists(ProcessUtilities.debugPath):
logging.CyberCPLogFileWriter.writeToFile("GRANT ALL PRIVILEGES ON " + dbname + ".* TO '" + dbuser + "'@'%s'" % (HostToUse))
logging.CyberCPLogFileWriter.writeToFile("GRANT ALL PRIVILEGES ON `" + dbname + "`.* TO '" + dbuser + "'@'%s'" % (HostToUse))
else:
cursor.execute(
"GRANT INDEX, DROP, UPDATE, ALTER, CREATE, SELECT, INSERT, DELETE ON " + dbname + ".* TO '" + dbuser + "'@'%s'" % (HostToUse))
"GRANT INDEX, DROP, UPDATE, ALTER, CREATE, SELECT, INSERT, DELETE ON `" + dbname + "`.* TO '" + dbuser + "'@'%s'" % (HostToUse))
if os.path.exists(ProcessUtilities.debugPath):
logging.CyberCPLogFileWriter.writeToFile("GRANT INDEX, DROP, UPDATE, ALTER, CREATE, SELECT, INSERT, DELETE ON " + dbname + ".* TO '" + dbuser + "'@'%s'" % (HostToUse))
logging.CyberCPLogFileWriter.writeToFile("GRANT INDEX, DROP, UPDATE, ALTER, CREATE, SELECT, INSERT, DELETE ON `" + dbname + "`.* TO '" + dbuser + "'@'%s'" % (HostToUse))
connection.close()
@@ -181,8 +185,10 @@ class mysqlUtilities:
if connection == 0:
return 0
cursor.execute("CREATE DATABASE " + dbuser)
cursor.execute("CREATE USER '" + dbuser + "'@'%s' IDENTIFIED BY '" % (mysqlUtilities.LOCALHOST) + dbpassword + "'")
cursor.execute("CREATE DATABASE `" + dbuser + "`")
safe_dbuser = dbuser.replace("'", "''")
safe_dbpassword = dbpassword.replace("'", "''")
cursor.execute("CREATE USER '" + safe_dbuser + "'@'%s' IDENTIFIED BY '" % (mysqlUtilities.LOCALHOST) + safe_dbpassword + "'")
return 1
@@ -200,9 +206,9 @@ class mysqlUtilities:
return 0
if mysqlUtilities.RDS == 0:
cursor.execute("GRANT ALL PRIVILEGES ON " + dbName + ".* TO '" + globalUser + "'@'%s'" % (mysqlUtilities.LOCALHOST))
cursor.execute("GRANT ALL PRIVILEGES ON `" + dbName + "`.* TO '" + globalUser + "'@'%s'" % (mysqlUtilities.LOCALHOST))
else:
cursor.execute("GRANT INDEX, DROP, UPDATE, ALTER, CREATE, SELECT, INSERT, DELETE ON " + dbName + ".* TO '" + globalUser + "'@'%s'" % (
cursor.execute("GRANT INDEX, DROP, UPDATE, ALTER, CREATE, SELECT, INSERT, DELETE ON `" + dbName + "`.* TO '" + globalUser + "'@'%s'" % (
mysqlUtilities.LOCALHOST))
connection.close()
@@ -235,11 +241,13 @@ class mysqlUtilities:
## Try deleting all user who had priviliges on db
cursor.execute("select user,host from mysql.db where db='%s'" % (dbname))
cursor.execute("select user,host from mysql.db where db=%s", (dbname,))
databaseUsers = cursor.fetchall()
for databaseUser in databaseUsers:
cursor.execute("DROP USER '"+databaseUser[0]+"'@'%s'" % (databaseUser[1]))
safe_db_user = databaseUser[0].replace("'", "''")
safe_db_host = databaseUser[1].replace("'", "''")
cursor.execute("DROP USER '%s'@'%s'" % (safe_db_user, safe_db_host))
connection.close()
return 1
@@ -740,7 +748,7 @@ password=%s
data = {}
data['status'] = 1
cursor.execute("use " + name['databaseName'])
cursor.execute("use `" + name['databaseName'] + "`")
cursor.execute("SHOW TABLE STATUS")
result = cursor.fetchall()
@@ -786,8 +794,8 @@ password=%s
data = {}
data['status'] = 1
cursor.execute("use " + name['databaseName'])
cursor.execute("DROP TABLE " + name['tableName'])
cursor.execute("use `" + name['databaseName'] + "`")
cursor.execute("DROP TABLE `" + name['tableName'] + "`")
return data
@@ -812,14 +820,14 @@ password=%s
##
cursor.execute("use " + name['databaseName'])
cursor.execute("select count(*) from " + name['tableName'])
cursor.execute("use `" + name['databaseName'] + "`")
cursor.execute("select count(*) from `" + name['tableName'] + "`")
rows = cursor.fetchall()[0][0]
##
cursor.execute("desc " + name['tableName'])
cursor.execute("desc `" + name['tableName'] + "`")
result = cursor.fetchall()
data['completeData'] = '<thead><tr>'
@@ -836,7 +844,7 @@ password=%s
data['pagination'] = mysqlUtilities.getPagination(rows, recordsToShow)
endPageNumber, finalPageNumber = mysqlUtilities.recordsPointer(page, recordsToShow)
cursor.execute("select * from " + name['tableName'])
cursor.execute("select * from `" + name['tableName'] + "`")
result = cursor.fetchall()
for items in result[finalPageNumber:endPageNumber]:
@@ -864,8 +872,8 @@ password=%s
if connection == 0:
return 0
cursor.execute("use " + name['databaseName'])
cursor.execute("desc " + name['tableName'])
cursor.execute("use `" + name['databaseName'] + "`")
cursor.execute("desc `" + name['tableName'] + "`")
result = cursor.fetchall()
## Columns List
@@ -924,12 +932,18 @@ password=%s
if encrypt == None:
try:
dbuser = DBUsers.objects.get(user=userName)
query = "SET PASSWORD FOR '" + userName + "'@'%s' = PASSWORD('" % (LOCALHOST) + dbPassword + "')"
safe_userName = userName.replace("'", "''")
safe_dbPassword = dbPassword.replace("'", "''")
query = "SET PASSWORD FOR '" + safe_userName + "'@'%s' = PASSWORD('" % (LOCALHOST) + safe_dbPassword + "')"
except:
userName = mysqlUtilities.fetchuser(userName)
query = "SET PASSWORD FOR '" + userName + "'@'%s' = PASSWORD('" % (LOCALHOST) + dbPassword + "')"
safe_userName = userName.replace("'", "''")
safe_dbPassword = dbPassword.replace("'", "''")
query = "SET PASSWORD FOR '" + safe_userName + "'@'%s' = PASSWORD('" % (LOCALHOST) + safe_dbPassword + "')"
else:
query = "SET PASSWORD FOR '" + userName + "'@'%s' = '" % (LOCALHOST) + dbPassword + "'"
safe_userName = userName.replace("'", "''")
safe_dbPassword = dbPassword.replace("'", "''")
query = "SET PASSWORD FOR '" + safe_userName + "'@'%s' = '" % (LOCALHOST) + safe_dbPassword + "'"
if os.path.exists(ProcessUtilities.debugPath):
logging.CyberCPLogFileWriter.writeToFile(query)
@@ -951,12 +965,11 @@ password=%s
cursor.execute("use mysql")
database = Databases.objects.get(dbName=databaseName)
databaseName = databaseName.replace('_', '\_')
query = "select user from db where db = '%s'" % (databaseName)
if connection == 0:
return 0
cursor.execute(query)
cursor.execute("select user from db where db = %s", (databaseName,))
rows = cursor.fetchall()
counter = 0
@@ -1047,14 +1060,18 @@ bind-address=%s
if createUser:
try:
safe_user = user.replace("'", "''")
safe_password = password.replace("'", "''")
cursor.execute(
"CREATE USER '" + user + "'@'%s' IDENTIFIED BY '" % (mysqlUtilities.LOCALHOST) + password + "'")
"CREATE USER '" + safe_user + "'@'%s' IDENTIFIED BY '" % (mysqlUtilities.LOCALHOST) + safe_password + "'")
except BaseException as msg:
logging.CyberCPLogFileWriter.writeToFile('%s [addUserToDB:937]' % (str(msg)))
try:
cursor.execute("DROP USER '%s'@'%s'" % (user, mysqlUtilities.LOCALHOST))
safe_user = user.replace("'", "''")
cursor.execute("DROP USER '%s'@'%s'" % (safe_user, mysqlUtilities.LOCALHOST))
safe_password = password.replace("'", "''")
cursor.execute(
"CREATE USER '" + user + "'@'%s' IDENTIFIED BY '" % (mysqlUtilities.LOCALHOST) + password + "'")
"CREATE USER '" + safe_user + "'@'%s' IDENTIFIED BY '" % (mysqlUtilities.LOCALHOST) + safe_password + "'")
except BaseException as msg:
logging.CyberCPLogFileWriter.writeToFile('%s [addUserToDB:943]' % (str(msg)))
@@ -1062,11 +1079,11 @@ bind-address=%s
if mysqlUtilities.RDS == 0:
cursor.execute(
"GRANT ALL PRIVILEGES ON " + database + ".* TO '" + user + "'@'%s'" % (mysqlUtilities.LOCALHOST))
"GRANT ALL PRIVILEGES ON `" + database + "`.* TO '" + user + "'@'%s'" % (mysqlUtilities.LOCALHOST))
else:
try:
cursor.execute(
"GRANT INDEX, DROP, UPDATE, ALTER, CREATE, SELECT, INSERT, DELETE ON " + database + ".* TO '" + user + "'@'%s'" % (mysqlUtilities.LOCALHOST))
"GRANT INDEX, DROP, UPDATE, ALTER, CREATE, SELECT, INSERT, DELETE ON `" + database + "`.* TO '" + user + "'@'%s'" % (mysqlUtilities.LOCALHOST))
except BaseException as msg:
logging.CyberCPLogFileWriter.writeToFile('%s [addUserToDB:953]' % (str(msg)))
@@ -1089,8 +1106,9 @@ bind-address=%s
if connection == 0:
return 0
cursor.execute("use %s" % (dbname))
cursor.execute("UPDATE `wp_users` SET `user_pass`= MD5('%s') WHERE `user_login`='usman'" % (password))
cursor.execute("use `%s`" % (dbname))
safe_password = password.replace("'", "''")
cursor.execute("UPDATE `wp_users` SET `user_pass`= MD5('%s') WHERE `user_login`='usman'" % (safe_password))
connection.close()
return 1