Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DataEase 版本 v1.18.4
Bug 描述 sql编写不规范导致SQL注入,防御SQL注入的关键字黑名单有遗漏,可以用黑名单之外的的方法进行注入
Bug 重现步骤
2 由于src/main/java/io/dataease/ext/ExtSysMsgMapper.xml中orderByClause使用了$进行拼接,导致注入,另有多出xml也是用的$进行拼接
3 查看src/main/java/io/dataease/commons/wrapper/XssAndSqlHttpServletRequestWrapper.java中的防御SQL注入的关键字黑名单
4 在报错注入中,还可以使用GTID_SUBSET等函数绕过黑名单,维护黑名单容易有漏网之鱼。。
The text was updated successfully, but these errors were encountered:
感谢反馈,我们会尽快修复
Sorry, something went wrong.
v1.18.5版本已处理,请升级最新版本。
BBchicken-9527
zrfit
No branches or pull requests
DataEase 版本
v1.18.4
Bug 描述
sql编写不规范导致SQL注入,防御SQL注入的关键字黑名单有遗漏,可以用黑名单之外的的方法进行注入
Bug 重现步骤
2 由于src/main/java/io/dataease/ext/ExtSysMsgMapper.xml中orderByClause使用了$进行拼接,导致注入,另有多出xml也是用的$进行拼接

3 查看src/main/java/io/dataease/commons/wrapper/XssAndSqlHttpServletRequestWrapper.java中的防御SQL注入的关键字黑名单

4 在报错注入中,还可以使用GTID_SUBSET等函数绕过黑名单,维护黑名单容易有漏网之鱼。。

The text was updated successfully, but these errors were encountered: