Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
漏洞路由位置/${ms.manager.path}/mdiy/page/verify,漏洞点在如下方法,if...else两个条件中的validated方法均存在问题。
调用了父类的validated方法,validated方法中将传入的fieldName和fieldValue复制where对象中,并调用了appBiz.queryBySQL方法。
validated
appBiz.queryBySQL
queryBySQL的实现方法如下调用了getDao().queryBySQL(table, fields, wheres, null,null, null, null,null);
getDao().queryBySQL(table, fields, wheres, null,null, null, null,null);
getDao().queryBySQL调用的具体SQL语句如下,其中key值对应的Map类型对象where,也就是前端传进来的fieldName
构造如下请求包,如果数据库长度大于1,即成功睡眠3秒。
debug输出sql语句
The text was updated successfully, but these errors were encountered:
5.2.9 fix it
Sorry, something went wrong.
killfen
No branches or pull requests
漏洞分析
漏洞路由位置/${ms.manager.path}/mdiy/page/verify,漏洞点在如下方法,if...else两个条件中的validated方法均存在问题。
调用了父类的
validated方法,validated方法中将传入的fieldName和fieldValue复制where对象中,并调用了appBiz.queryBySQL方法。queryBySQL的实现方法如下调用了
getDao().queryBySQL(table, fields, wheres, null,null, null, null,null);getDao().queryBySQL调用的具体SQL语句如下,其中key值对应的Map类型对象where,也就是前端传进来的fieldName
漏洞验证
构造如下请求包,如果数据库长度大于1,即成功睡眠3秒。
debug输出sql语句
The text was updated successfully, but these errors were encountered: