Skip to content

sql inject 2 #23

Open
Open
@novysodope

Description

@novysodope

src/main/resources/mybatis/system/DeptMapper.xml

There is a ${} in this mapper
image
Search selectDeptList to see where the this select id is used:
image
/DeptController.java

Query dept information:
image
Follow up the selectDeptList method to see the specific implementation:

/DeptServiceImpl.java

image
The parameters in the Dept are passed into the mapper for SQL operation. Because the datascope is controllable, the vulnerability is generated
image

Verification:

Splice URL and parameters according to code:

params[dataScope]=

Use error injection to query the database version:

params[dataScope]=and+extractvalue(1,concat(0x7e,substring((select+version()),1,32),0x7e))

image
Select database name:
image

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions