New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
There is a SQL injection vulnerability in the/admin/robot/approval/list interface of the rebuild system #594
Comments
|
We are fixed, thanks for report! |
|
Thank you for your quick response and fixing the issue! |
getrebuild
added a commit
that referenced
this issue
Mar 18, 2023
* style: 目录样式gh * style: J_new * feat: advListFilterTabs * feat: nav-copyto * enh: 助记码全拼 * enh: 地图搜索选点 * enh: topnav * list pn * .form-line.v33 * open TAG * KVS addShutdownHook * fix: #594 --------- Co-authored-by: devezhao <zhaofang123@gmail.com>
getrebuild
added a commit
that referenced
this issue
May 5, 2023
* Enh charts (#575) * NN * feat: LINE/BAR 2dim and dateContinuous --------- Co-authored-by: RB <getrebuild@sina.com> * Copy role (#576) * feat: showAllUsers * feat: role copy * bg-guide --------- Co-authored-by: RB <getrebuild@sina.com> * base support (#579) * Excel pdf (#581) * Bump lib * excel to pdf * PdfConverter --------- Co-authored-by: devezhao <zhaofang123@gmail.com> * Files access (#582) * code style * se:conf * feat: folder rights --------- Co-authored-by: devezhao <zhaofang123@gmail.com> * Showfields spec (#584) * field CLASSIFICATION dv * feat: SYS for DataList * 视图>详情 * Trigger async (#585) * 同步发送 * Update @rbv --------- Co-authored-by: RB <getrebuild@sina.com> * N2n aggregation (#587) * 列表视图 * bump * better delete * Update @rbv * star userid * fieldVarsN2NPath * USER_OWNS No warn --------- Co-authored-by: devezhao <zhaofang123@gmail.com> * Single field after reload (#589) * v3.3 compact * singleField reload * .col-right-compact --------- Co-authored-by: RB <getrebuild@sina.com> * List styles (#590) * quick-filter-pane v3 * dock page * better * H5 sync (#593) * Update submail.html * better files * Update @rbv * H5 sync2 (#595) * style: 目录样式gh * style: J_new * feat: advListFilterTabs * feat: nav-copyto * enh: 助记码全拼 * enh: 地图搜索选点 * enh: topnav * list pn * .form-line.v33 * open TAG * KVS addShutdownHook * fix: #594 --------- Co-authored-by: devezhao <zhaofang123@gmail.com> * Fix long request (#599) * fix: `trigger/exec-manual` async * fix: lang * fix: #596 * open: detailsNotEmpty (#600) * open: detailsNotEmpty * enh: template preview * protable tipping * be: form-design * be: file upload noname * style: better * be: NTEXT \n --------- Co-authored-by: RB <getrebuild@sina.com> * List topnav (#601) * setHidden * enh: THROTTLED_QUEUE * enh: PageTokenVerify 2h * fix: Mix N2N & styles * feat: 表单回填源字段支持二级 * be: showStartGuide * fix: spec label * fix: 图表刻度 * fix: file copy --------- Co-authored-by: devezhao <zhaofang123@gmail.com> * Trigger fa n2n (#602) * style * Update entities-sheet.html * be: N2N in FieldWriteback * feat: fa 目标字段支持 N2N NTEXT * Update trigger.FIELDAGGREGATION.js * be * Update LogFunction.java * be: save tips * transform-design * be: meta-name trim * enh: show import speed * Project view (#603) * relaxed-path-chars * be: style * feat: LiteForm, setNullable, setTip * be: forms include * Update @rbv * style: 断行 * enh: customized * style: dialog footer --------- Co-authored-by: devezhao <zhaofang123@gmail.com> * Excel use refs (#605) * template v33 * be: schema timeout * DataList renderAfter * enh: whenUpdateFields * be: RbAlter hide force * Update @rbv * fix: useValueOfVarRecord --------- Co-authored-by: devezhao <zhaofang123@gmail.com> * import for users (#608) * fix: template v33 * feat: clearFields * be: login btn * enh: 直接打印 * fix: textCommon overflow * be: J_decimalTypeFlag * be: styles & ID * AssertFailedException * be: aviator func * FieldWritebackRefresh * SSS * be: RecordBuilder * classification-editor * Update ClassificationFileImporter.java * be: target record DELETED * Update BarCodeSupport.java * feat: N selected * imports for users * be: barcode w/h * Update DataImportController.java * be: TopNav * open: textCommon * feat: EnableBizzPart * text $separator --------- Co-authored-by: devezhao <zhaofang123@gmail.com> * Better v3.3 (#610) * be: style * 3.3.0-beta1 * be --------- Co-authored-by: devezhao <zhaofang123@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
版本 / Version
<=3.2.3
什么问题 / What's the problem
在rebuild系统的/admin/robot/approval/list接口中存在SQL注入漏洞
There is a SQL injection vulnerability in the/admin/robot/approval/list interface of the rebuild system.
如何复现此问题 / How to reproduce this problem
功能点 / Function points
搜索功能的请求报文 / Request message for search function
攻击载荷 / payload
%25%5c%27%20or%20updatexml(1,concat(0x7e,(select+table_name+from+information_schema.tables+where+table_schema=0x72656275696c64+limit+0,1),0x7e),1)--+漏洞复现 / Vulnerability recurrence
系统环境 (操作系统/MySQL版本/浏览器等) / System environment (OS/MySQL/Browser etc)
Mysql 5.7.26
Windows
JDK1.8.0_341
Chrome
说明 / Suggested description
sql injection vulnerability exists in rebuild <=3.2.3
在rebuild系统小于3.2.3版本中存在SQL注入漏洞
Failed to legally check parameters, resulting in SQL injection vulnerabilities.
未能合法检查参数从而导致sql注入漏洞.
漏洞类型 / Vulnerability Type
SQLi
产品供应商 / Vendor of Product
https://github.com/getrebuild/rebuild
受影响的产品代码库 / Affected Product Code Base
<=3.2.3
受影响组件 / Affected Component
/admin/robot/approval/list
攻击方式 / Attack Type
Remote
漏洞成因 / Cause of vulnerability
Interface:/admin/robot/approval/list




In the
com.build.web.robot.approval.ApprovalAdminController#approvalList()method, the SQL statement is created and passed into thequeryListOfConfig()method.在com.rebuild.web.robot.approval.ApprovalAdminController#approvalList方法中,SQL语句被创建,并传入queryListOfConfig()方法。
In the
com.rebuild.web.admin.ConfigCommons#queryListOfConfig()method, replace the user's incoming data into the SQL statement, and call theescapeSql()method to process the user's input data.在com.rebuild.web.admin.ConfigCommons#queryListOfConfig()方法中,将用户传入数据替换至SQL语句中,此时调用escapeSql()方法对用户的输入数据进行处理
In the
escapeSql()method, replace one single quotation mark in user input with two single quotation marks.escapeSql()方法中,将用户输入中的一个单引号替换为两个单引号
Attackers can escape redundant quotes to achieve SQL injection
攻击者可以通过转义的方式将多余的引号处理掉,从而实现SQL注入
Then directly call
createQuery()to query随后直接调用createQuery()进行查询
The end,thanks!
The text was updated successfully, but these errors were encountered: