Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug] sql编写不规范导致SQL注入,防御SQL注入的关键字黑名单会被绕过 #4795

Closed
hbdxmz opened this issue Mar 16, 2023 · 2 comments
Assignees
Labels
状态:已完成 类型:bug Something isn't working
Milestone

Comments

@hbdxmz
Copy link

hbdxmz commented Mar 16, 2023

DataEase 版本
v1.18.4

Bug 描述
sql编写不规范导致SQL注入,防御SQL注入的关键字黑名单有遗漏,可以用黑名单之外的的方法进行注入

Bug 重现步骤

  1. 接口/api/sys_msg/list/1/10,漏洞参数orders,插入单引号后sql报错
    image

2 由于src/main/java/io/dataease/ext/ExtSysMsgMapper.xml中orderByClause使用了$进行拼接,导致注入,另有多出xml也是用的$进行拼接
image

3 查看src/main/java/io/dataease/commons/wrapper/XssAndSqlHttpServletRequestWrapper.java中的防御SQL注入的关键字黑名单
image

4 在报错注入中,还可以使用GTID_SUBSET等函数绕过黑名单,维护黑名单容易有漏网之鱼。。
image

@hbdxmz hbdxmz added the 类型:bug Something isn't working label Mar 16, 2023
@hbdxmz hbdxmz changed the title [Bug] [Bug] sql编写不规范导致SQL注入,防御SQL注入的关键字黑名单会被绕过 Mar 16, 2023
@BBchicken-9527
Copy link

感谢反馈,我们会尽快修复

@xuwei-fit2cloud
Copy link
Contributor

v1.18.5版本已处理,请升级最新版本。

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
状态:已完成 类型:bug Something isn't working
Projects
None yet
Development

No branches or pull requests

4 participants