Open
Description
src/main/resources/mybatis/system/DeptMapper.xml
There is a ${} in this mapper

Search selectDeptList to see where the this select id is used:

/DeptController.java
Query dept information:

Follow up the selectDeptList method to see the specific implementation:
/DeptServiceImpl.java

The parameters in the Dept are passed into the mapper for SQL operation. Because the datascope is controllable, the vulnerability is generated

Verification:
Splice URL and parameters according to code:
params[dataScope]=Use error injection to query the database version:
params[dataScope]=and+extractvalue(1,concat(0x7e,substring((select+version()),1,32),0x7e))Metadata
Metadata
Assignees
Labels
No labels

