Описание
WeKnora vulnerable to SQL Injection
Summary
After WeKnora enables the Agent service, it allows users to call the database query tool. Due to insufficient backend validation, an attacker can use prompt‑based bypass techniques to evade query restrictions and obtain sensitive information from the target server and database.
Details
Source
- File:
/internal/agent/tools/database_query.go - Function:
validateAndSecureSQL()(lines 249–373) - API Endpoint:
POST /api/v1/agent-chat/{session_id}
Sink
- File:
/internal/agent/tools/database_query.go - Function:
Execute()(line 158:t.db.WithContext(ctx).Raw(securedSQL).Rows()) - Description: Raw SQL execution without parameterized queries
Backend validation code: /internal/agent/tools/database_query.go, lines 273–281:
There are two vulnerabilities here:
- No validation of dangerous built‑in PostgreSQL functions
- Comments such as
/**/are not considered, allowing attackers to replace spaces and bypass detection
PoC
Attack prompt:
- The attacker can query all contents of the database, affecting other tenants.
Attack prompt:
Impact
- Attackers can enumerate PostgreSQL server files and read/write files
Пакеты
github.com/Tencent/WeKnora
< 0.2.5
0.2.5
Связанные уязвимости
WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.2.5, after WeKnora enables the Agent service, it allows users to call the database query tool. Due to insufficient backend validation, an attacker can use prompt‑based bypass techniques to evade query restrictions and obtain sensitive information from the target server and database. This issue has been patched in version 0.2.5.