Description
Impact
DataEase has a SQL injection vulnerability that Not affected by SQL injection blacklists
The SQL statement is located in the following file location, using the ${} symbol.
https://github.com/dataease/dataease/blob/dev/backend/src/main/java/io/dataease/ext/query/GridSql.xml

The SQL injection blacklist is as follows:
Pattern pattern = Pattern.compile("(.\=.\- \-.)|(.(\+).)|(.\w+(%|\$|#|&)\w+.)|(.\|\|.)|(.\s+(and|or)\s+.)" + "|(.\b(select|update|union|and|or|delete|insert|trancate|char|into|substr|ascii|declare|exec| count|master|into|drop|execute|sleep|extractvalue|updatexml|substring|database|concat|ra nd|gtid_subset)\b.*)"); Matcher matcher = pattern.matcher(orders.toLowerCase());
Not affected by SQL injection prevention at this location

So we can get the database data

Affected versions: <= 1.18.9