Skip to content

DataEase has a SQL injection vulnerability that Not affected by SQL injection blacklists #5861

Closed
@Devotes

Description

@Devotes

Impact

DataEase has a SQL injection vulnerability that Not affected by SQL injection blacklists

The SQL statement is located in the following file location, using the ${} symbol.
https://github.com/dataease/dataease/blob/dev/backend/src/main/java/io/dataease/ext/query/GridSql.xml
image

The SQL injection blacklist is as follows:

Pattern pattern = Pattern.compile("(.\=.\- \-.)|(.(\+).)|(.\w+(%|\$|#|&)\w+.)|(.\|\|.)|(.\s+(and|or)\s+.)" + "|(.\b(select|update|union|and|or|delete|insert|trancate|char|into|substr|ascii|declare|exec| count|master|into|drop|execute|sleep|extractvalue|updatexml|substring|database|concat|ra nd|gtid_subset)\b.*)"); Matcher matcher = pattern.matcher(orders.toLowerCase());

Not affected by SQL injection prevention at this location
image

So we can get the database data
image

Affected versions: <= 1.18.9

Metadata

Metadata

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions