In the com.build.web.project.ProjectTaskController#taskList() method, some SQL statements were customized and eventually spliced into the query statement.
在com.rebuild.web.project.ProjectTaskController#taskList()方法中,自定义了部分SQL语句,并且最终将该部分SQL语句拼接至查询语句中。
Although the 'StringsEscapeUtils. EscapeSql()' method is used here to process user input, there is a bypass.
虽然此处使用了StringsEscapeUtils.escapeSql()方法对用户输入做了处理,但存在绕过。
Finally, in line 122 of com.rebuild.web.project.ProjectTaskController, user input was brought into the query statement, causing a SQL injection vulnerability.
最终在com.rebuild.web.project.ProjectTaskController的第122行,将用户输入带入到查询语句中,造成SQL注入漏洞。
The end,thanks!
The text was updated successfully, but these errors were encountered:
版本 / Version
<=3.2.3
什么问题 / What's the problem
SQL injection vulnerability exists in the/project/tasks/list interface of the rebuild system.
在rebuild系统的/project/tasks/list接口中存在SQL注入漏洞。
如何复现此问题 / How to reproduce this problem
功能点 / Function points
请求信息 / Request message:
攻击载荷 / payload:
%25%5c%27%20or%20updatexml(1,concat(0x7e,(select+table_name+from+information_schema.tables+where+table_schema=0x72656275696c64+limit+0,1),0x7e),1)--+漏洞复现 / Vulnerability recurrence
There you can see it!
系统环境 (操作系统/MySQL版本/浏览器等) / System environment (OS/MySQL/Browser etc)
Mysql 5.7.26
Windows
JDK1.8.0_341
Chrome
说明 / Suggested description
sql injection vulnerability exists in rebuild <=3.2.3
在rebuild系统小于3.2.3版本中存在SQL注入漏洞
Failed to legally check parameters, resulting in SQL injection vulnerabilities.
未能合法检查参数从而导致sql注入漏洞.
漏洞类型 / Vulnerability Type
SQLi
产品供应商 / Vendor of Product
https://github.com/getrebuild/rebuild
受影响的产品代码库 / Affected Product Code Base
<=3.2.3
受影响组件 / Affected Component
/project/tasks/list
攻击方式 / Attack Type
Remote
漏洞成因 / Cause of vulnerability
In the



com.build.web.project.ProjectTaskController#taskList()method, some SQL statements were customized and eventually spliced into the query statement.在
com.rebuild.web.project.ProjectTaskController#taskList()方法中,自定义了部分SQL语句,并且最终将该部分SQL语句拼接至查询语句中。Although the 'StringsEscapeUtils. EscapeSql()' method is used here to process user input, there is a bypass.
虽然此处使用了
StringsEscapeUtils.escapeSql()方法对用户输入做了处理,但存在绕过。Finally, in line 122 of
com.rebuild.web.project.ProjectTaskController, user input was brought into the query statement, causing a SQL injection vulnerability.最终在com.rebuild.web.project.ProjectTaskController的第122行,将用户输入带入到查询语句中,造成SQL注入漏洞。
The end,thanks!
The text was updated successfully, but these errors were encountered: