Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sql inject 1 #22

Open
novysodope opened this issue Jan 16, 2023 · 0 comments
Open

sql inject 1 #22

novysodope opened this issue Jan 16, 2023 · 0 comments

Comments

@novysodope
Copy link

novysodope commented Jan 16, 2023
edited
Loading

src/main/resources/mybatis/system/RoleMapper.xml

There is a ${} in this mapper

<if test="deptId != null and deptId != 0">
			AND (u.dept_id = #{deptId} OR u.dept_id IN ( SELECT t.dept_id FROM sys_dept t WHERE FIND_IN_SET (#{deptId},ancestors) ))
		</if>
		<!-- 数据范围过滤 -->
		${params.dataScope}
	</select>

Search selectUserList to see where the this select id is used:

image

Query user information:
src/main/java/com/luckyframe/project/system/role/controller/RoleController.java

image

Follow up the selectUserList method to see the specific implementation:

src/main/java/com/luckyframe/project/system/role/service/RoleServiceImpl.java

image

The parameters in the User are passed into the mapper for SQL operation. Because the datascope is controllable, the vulnerability is generated

image

Verification:

Splice URL and parameters according to code:

params[dataScope]=

Use error injection to query the database version:

params[dataScope]=and+extractvalue(1,concat(0x7e,substring((select+version()),1,32),0x7e))

image

Select database name:

image
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@novysodope