Nemcio/CyberPanel
1
0
Fork 0
mirror of https://github.com/usmannasir/cyberpanel.git synced 2025-12-16 05:19:43 +01:00
Code Issues Packages Projects Releases Wiki Activity

Enhance SQL query safety in mysqlUtilities.py

Browse Source 
- Updated SQL queries to use backticks around database and table names for improved safety and compatibility.
- Implemented escaping for user inputs in CREATE USER and SET PASSWORD statements to prevent SQL injection vulnerabilities.
- Ensured consistent use of safe variable handling across various database operations, including user creation and privilege grants.
This commit is contained in:
Master3395
2025-10-24 01:24:22 +02:00
parent 6e86ccc33f
commit e745d59a13
1 changed files with 53 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

88
plogical/mysqlUtilities.py
View File

@@ -129,7 +129,7 @@ class mysqlUtilities:
if dbcreate: if dbcreate:
query = "CREATE DATABASE %s" % (dbname) query = "CREATE DATABASE `%s`" % (dbname)
if os.path.exists(ProcessUtilities.debugPath): if os.path.exists(ProcessUtilities.debugPath):
logging.CyberCPLogFileWriter.writeToFile(query) logging.CyberCPLogFileWriter.writeToFile(query)
@@ -139,11 +139,15 @@ class mysqlUtilities:
## create user ## create user
if mysqlUtilities.REMOTEHOST.find('ondigitalocean') > -1: if mysqlUtilities.REMOTEHOST.find('ondigitalocean') > -1:
safe_dbuser = dbuser.replace("'", "''")
safe_dbpassword = dbpassword.replace("'", "''")
query = "CREATE USER '%s'@'%s' IDENTIFIED WITH mysql_native_password BY '%s'" % ( query = "CREATE USER '%s'@'%s' IDENTIFIED WITH mysql_native_password BY '%s'" % (
dbuser, HostToUse, dbpassword) safe_dbuser, HostToUse, safe_dbpassword)
else: else:
query = "CREATE USER '" + dbuser + "'@'%s' IDENTIFIED BY '" % ( safe_dbuser = dbuser.replace("'", "''")
HostToUse) + dbpassword + "'" safe_dbpassword = dbpassword.replace("'", "''")
query = "CREATE USER '" + safe_dbuser + "'@'%s' IDENTIFIED BY '" % (
HostToUse) + safe_dbpassword + "'"
if os.path.exists(ProcessUtilities.debugPath): if os.path.exists(ProcessUtilities.debugPath):
logging.CyberCPLogFileWriter.writeToFile(query) logging.CyberCPLogFileWriter.writeToFile(query)
@@ -151,14 +155,14 @@ class mysqlUtilities:
cursor.execute(query) cursor.execute(query)
if mysqlUtilities.RDS == 0: if mysqlUtilities.RDS == 0:
cursor.execute("GRANT ALL PRIVILEGES ON " + dbname + ".* TO '" + dbuser + "'@'%s'" % (HostToUse)) cursor.execute("GRANT ALL PRIVILEGES ON `" + dbname + "`.* TO '" + dbuser + "'@'%s'" % (HostToUse))
if os.path.exists(ProcessUtilities.debugPath): if os.path.exists(ProcessUtilities.debugPath):
logging.CyberCPLogFileWriter.writeToFile("GRANT ALL PRIVILEGES ON " + dbname + ".* TO '" + dbuser + "'@'%s'" % (HostToUse)) logging.CyberCPLogFileWriter.writeToFile("GRANT ALL PRIVILEGES ON `" + dbname + "`.* TO '" + dbuser + "'@'%s'" % (HostToUse))
else: else:
cursor.execute( cursor.execute(
"GRANT INDEX, DROP, UPDATE, ALTER, CREATE, SELECT, INSERT, DELETE ON " + dbname + ".* TO '" + dbuser + "'@'%s'" % (HostToUse)) "GRANT INDEX, DROP, UPDATE, ALTER, CREATE, SELECT, INSERT, DELETE ON `" + dbname + "`.* TO '" + dbuser + "'@'%s'" % (HostToUse))
if os.path.exists(ProcessUtilities.debugPath): if os.path.exists(ProcessUtilities.debugPath):
logging.CyberCPLogFileWriter.writeToFile("GRANT INDEX, DROP, UPDATE, ALTER, CREATE, SELECT, INSERT, DELETE ON " + dbname + ".* TO '" + dbuser + "'@'%s'" % (HostToUse)) logging.CyberCPLogFileWriter.writeToFile("GRANT INDEX, DROP, UPDATE, ALTER, CREATE, SELECT, INSERT, DELETE ON `" + dbname + "`.* TO '" + dbuser + "'@'%s'" % (HostToUse))
connection.close() connection.close()
@@ -181,8 +185,10 @@ class mysqlUtilities:
if connection == 0: if connection == 0:
return 0 return 0
cursor.execute("CREATE DATABASE " + dbuser) cursor.execute("CREATE DATABASE `" + dbuser + "`")
cursor.execute("CREATE USER '" + dbuser + "'@'%s' IDENTIFIED BY '" % (mysqlUtilities.LOCALHOST) + dbpassword + "'") safe_dbuser = dbuser.replace("'", "''")
safe_dbpassword = dbpassword.replace("'", "''")
cursor.execute("CREATE USER '" + safe_dbuser + "'@'%s' IDENTIFIED BY '" % (mysqlUtilities.LOCALHOST) + safe_dbpassword + "'")
return 1 return 1
@@ -200,9 +206,9 @@ class mysqlUtilities:
return 0 return 0
if mysqlUtilities.RDS == 0: if mysqlUtilities.RDS == 0:
cursor.execute("GRANT ALL PRIVILEGES ON " + dbName + ".* TO '" + globalUser + "'@'%s'" % (mysqlUtilities.LOCALHOST)) cursor.execute("GRANT ALL PRIVILEGES ON `" + dbName + "`.* TO '" + globalUser + "'@'%s'" % (mysqlUtilities.LOCALHOST))
else: else:
cursor.execute("GRANT INDEX, DROP, UPDATE, ALTER, CREATE, SELECT, INSERT, DELETE ON " + dbName + ".* TO '" + globalUser + "'@'%s'" % ( cursor.execute("GRANT INDEX, DROP, UPDATE, ALTER, CREATE, SELECT, INSERT, DELETE ON `" + dbName + "`.* TO '" + globalUser + "'@'%s'" % (
mysqlUtilities.LOCALHOST)) mysqlUtilities.LOCALHOST))
connection.close() connection.close()
@@ -235,11 +241,13 @@ class mysqlUtilities:
## Try deleting all user who had priviliges on db ## Try deleting all user who had priviliges on db
cursor.execute("select user,host from mysql.db where db='%s'" % (dbname)) cursor.execute("select user,host from mysql.db where db=%s", (dbname,))
databaseUsers = cursor.fetchall() databaseUsers = cursor.fetchall()
for databaseUser in databaseUsers: for databaseUser in databaseUsers:
cursor.execute("DROP USER '"+databaseUser[0]+"'@'%s'" % (databaseUser[1])) safe_db_user = databaseUser[0].replace("'", "''")
safe_db_host = databaseUser[1].replace("'", "''")
cursor.execute("DROP USER '%s'@'%s'" % (safe_db_user, safe_db_host))
connection.close() connection.close()
return 1 return 1
@@ -740,7 +748,7 @@ password=%s
data = {} data = {}
data['status'] = 1 data['status'] = 1
cursor.execute("use " + name['databaseName']) cursor.execute("use `" + name['databaseName'] + "`")
cursor.execute("SHOW TABLE STATUS") cursor.execute("SHOW TABLE STATUS")
result = cursor.fetchall() result = cursor.fetchall()
@@ -786,8 +794,8 @@ password=%s
data = {} data = {}
data['status'] = 1 data['status'] = 1
cursor.execute("use " + name['databaseName']) cursor.execute("use `" + name['databaseName'] + "`")
cursor.execute("DROP TABLE " + name['tableName']) cursor.execute("DROP TABLE `" + name['tableName'] + "`")
return data return data
@@ -812,14 +820,14 @@ password=%s
## ##
cursor.execute("use " + name['databaseName']) cursor.execute("use `" + name['databaseName'] + "`")
cursor.execute("select count(*) from " + name['tableName']) cursor.execute("select count(*) from `" + name['tableName'] + "`")
rows = cursor.fetchall()[0][0] rows = cursor.fetchall()[0][0]
## ##
cursor.execute("desc " + name['tableName']) cursor.execute("desc `" + name['tableName'] + "`")
result = cursor.fetchall() result = cursor.fetchall()
data['completeData'] = '<thead><tr>' data['completeData'] = '<thead><tr>'
@@ -836,7 +844,7 @@ password=%s
data['pagination'] = mysqlUtilities.getPagination(rows, recordsToShow) data['pagination'] = mysqlUtilities.getPagination(rows, recordsToShow)
endPageNumber, finalPageNumber = mysqlUtilities.recordsPointer(page, recordsToShow) endPageNumber, finalPageNumber = mysqlUtilities.recordsPointer(page, recordsToShow)
cursor.execute("select * from " + name['tableName']) cursor.execute("select * from `" + name['tableName'] + "`")
result = cursor.fetchall() result = cursor.fetchall()
for items in result[finalPageNumber:endPageNumber]: for items in result[finalPageNumber:endPageNumber]:
@@ -864,8 +872,8 @@ password=%s
if connection == 0: if connection == 0:
return 0 return 0
cursor.execute("use " + name['databaseName']) cursor.execute("use `" + name['databaseName'] + "`")
cursor.execute("desc " + name['tableName']) cursor.execute("desc `" + name['tableName'] + "`")
result = cursor.fetchall() result = cursor.fetchall()
## Columns List ## Columns List
@@ -924,12 +932,18 @@ password=%s
if encrypt == None: if encrypt == None:
try: try:
dbuser = DBUsers.objects.get(user=userName) dbuser = DBUsers.objects.get(user=userName)
query = "SET PASSWORD FOR '" + userName + "'@'%s' = PASSWORD('" % (LOCALHOST) + dbPassword + "')" safe_userName = userName.replace("'", "''")
safe_dbPassword = dbPassword.replace("'", "''")
query = "SET PASSWORD FOR '" + safe_userName + "'@'%s' = PASSWORD('" % (LOCALHOST) + safe_dbPassword + "')"
except: except:
userName = mysqlUtilities.fetchuser(userName) userName = mysqlUtilities.fetchuser(userName)
query = "SET PASSWORD FOR '" + userName + "'@'%s' = PASSWORD('" % (LOCALHOST) + dbPassword + "')" safe_userName = userName.replace("'", "''")
safe_dbPassword = dbPassword.replace("'", "''")
query = "SET PASSWORD FOR '" + safe_userName + "'@'%s' = PASSWORD('" % (LOCALHOST) + safe_dbPassword + "')"
else: else:
query = "SET PASSWORD FOR '" + userName + "'@'%s' = '" % (LOCALHOST) + dbPassword + "'" safe_userName = userName.replace("'", "''")
safe_dbPassword = dbPassword.replace("'", "''")
query = "SET PASSWORD FOR '" + safe_userName + "'@'%s' = '" % (LOCALHOST) + safe_dbPassword + "'"
if os.path.exists(ProcessUtilities.debugPath): if os.path.exists(ProcessUtilities.debugPath):
logging.CyberCPLogFileWriter.writeToFile(query) logging.CyberCPLogFileWriter.writeToFile(query)
@@ -951,12 +965,11 @@ password=%s
cursor.execute("use mysql") cursor.execute("use mysql")
database = Databases.objects.get(dbName=databaseName) database = Databases.objects.get(dbName=databaseName)
databaseName = databaseName.replace('_', '\_') databaseName = databaseName.replace('_', '\_')
query = "select user from db where db = '%s'" % (databaseName)
if connection == 0: if connection == 0:
return 0 return 0
cursor.execute(query) cursor.execute("select user from db where db = %s", (databaseName,))
rows = cursor.fetchall() rows = cursor.fetchall()
counter = 0 counter = 0
@@ -1047,14 +1060,18 @@ bind-address=%s
if createUser: if createUser:
try: try:
safe_user = user.replace("'", "''")
safe_password = password.replace("'", "''")
cursor.execute( cursor.execute(
"CREATE USER '" + user + "'@'%s' IDENTIFIED BY '" % (mysqlUtilities.LOCALHOST) + password + "'") "CREATE USER '" + safe_user + "'@'%s' IDENTIFIED BY '" % (mysqlUtilities.LOCALHOST) + safe_password + "'")
except BaseException as msg: except BaseException as msg:
logging.CyberCPLogFileWriter.writeToFile('%s [addUserToDB:937]' % (str(msg))) logging.CyberCPLogFileWriter.writeToFile('%s [addUserToDB:937]' % (str(msg)))
try: try:
cursor.execute("DROP USER '%s'@'%s'" % (user, mysqlUtilities.LOCALHOST)) safe_user = user.replace("'", "''")
cursor.execute("DROP USER '%s'@'%s'" % (safe_user, mysqlUtilities.LOCALHOST))
safe_password = password.replace("'", "''")
cursor.execute( cursor.execute(
"CREATE USER '" + user + "'@'%s' IDENTIFIED BY '" % (mysqlUtilities.LOCALHOST) + password + "'") "CREATE USER '" + safe_user + "'@'%s' IDENTIFIED BY '" % (mysqlUtilities.LOCALHOST) + safe_password + "'")
except BaseException as msg: except BaseException as msg:
logging.CyberCPLogFileWriter.writeToFile('%s [addUserToDB:943]' % (str(msg))) logging.CyberCPLogFileWriter.writeToFile('%s [addUserToDB:943]' % (str(msg)))
@@ -1062,11 +1079,11 @@ bind-address=%s
if mysqlUtilities.RDS == 0: if mysqlUtilities.RDS == 0:
cursor.execute( cursor.execute(
"GRANT ALL PRIVILEGES ON " + database + ".* TO '" + user + "'@'%s'" % (mysqlUtilities.LOCALHOST)) "GRANT ALL PRIVILEGES ON `" + database + "`.* TO '" + user + "'@'%s'" % (mysqlUtilities.LOCALHOST))
else: else:
try: try:
cursor.execute( cursor.execute(
"GRANT INDEX, DROP, UPDATE, ALTER, CREATE, SELECT, INSERT, DELETE ON " + database + ".* TO '" + user + "'@'%s'" % (mysqlUtilities.LOCALHOST)) "GRANT INDEX, DROP, UPDATE, ALTER, CREATE, SELECT, INSERT, DELETE ON `" + database + "`.* TO '" + user + "'@'%s'" % (mysqlUtilities.LOCALHOST))
except BaseException as msg: except BaseException as msg:
logging.CyberCPLogFileWriter.writeToFile('%s [addUserToDB:953]' % (str(msg))) logging.CyberCPLogFileWriter.writeToFile('%s [addUserToDB:953]' % (str(msg)))
@@ -1089,8 +1106,9 @@ bind-address=%s
if connection == 0: if connection == 0:
return 0 return 0
cursor.execute("use %s" % (dbname)) cursor.execute("use `%s`" % (dbname))
cursor.execute("UPDATE `wp_users` SET `user_pass`= MD5('%s') WHERE `user_login`='usman'" % (password)) safe_password = password.replace("'", "''")
cursor.execute("UPDATE `wp_users` SET `user_pass`= MD5('%s') WHERE `user_login`='usman'" % (safe_password))
connection.close() connection.close()
return 1 return 1