755 Star 3.2K Fork 1.1K

Rainy/DocSys

 / 详情

getReposAllUsers.do等接口存在sql注入风险

Done
Opened this issue  
2022-12-12 11:02

English
There is an interface for sql injection:
/DocSystem/Repos/getReposAllUsers.do

It can be seen from the back-end code that the interface database query uses 'getReposAllUsers()', and receives two parameters 'searchWord' and 'reposId':
输入图片说明

'getReposAllUsers()' uses 'queryReposMemberWithParamLike()' to process the incoming parameters
输入图片说明
输入图片说明
View 'ReposAuthMapper.xml':
输入图片说明

It is found that ‘queryReposMemberWithParamLike‘ uses '${}' for the incoming parameters without precompilation, which will lead to sql injection vulnerabilities.

Vulnerability Exploitation Process Demonstration

Use the demo site provided by the author to demonstrate the exploit.

http://dw.gofreeteam.com/DocSystem/web/index.html

Login with guest/guest
输入图片说明
Grab the request packet:
输入图片说明

Modify the URL to ‘/DocSystem/Repos/getReposAllUsers.do‘ and change it to the post request method:
输入图片说明

Construct the request to populate the ‘reposId‘ and ‘searchWord‘ parameter:
输入图片说明

SQL injection using searchWord parameters:

输入图片说明

Use sqlmap for verification, the data package is as follows:

POST /DocSystem/Repos/getReposAllUsers.do HTTP/1.1
Host: dw.gofreeteam.com
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=30230AB3A967C905F212A4D3A981894D
If-Modified-Since: Mon, 15 Aug 2022 09:41:58 GMT
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 39

reposId=28&searchWord=*

Use sql injection vulnerability to get the current database name:
输入图片说明

中文:
存在注入的接口:
/DocSystem/Repos/getReposAllUsers.do

通过后端代码可知,该接口数据库查询使用了getReposAllUsers(),并包含两个参数searchWord以及reposId:
输入图片说明

getReposAllUsers() 又使用了queryReposMemberWithParamLike()对传入的参数进行处理
输入图片说明
输入图片说明
查看ReposAuthMapper.xml:
输入图片说明
发现queryReposMemberWithParamLike中对参数使用'${}',未作预编译,会导致sql注入漏洞。

漏洞演示:
利用作者提供的演示站点进行利用:
http://dw.gofreeteam.com/DocSystem/web/index.html
使用guest/guest登录
输入图片说明
抓包:
输入图片说明
修改URL为/DocSystem/Repos/getReposAllUsers.do 并改为post请求:
输入图片说明
构造请求填充reposId和searchWord字段:
输入图片说明
利用searchWord参数进行sql注入:
输入图片说明
使用sqlmap进行验证,数据包如下:

POST /DocSystem/Repos/getReposAllUsers.do HTTP/1.1
Host: dw.gofreeteam.com
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=30230AB3A967C905F212A4D3A981894D
If-Modified-Since: Mon, 15 Aug 2022 09:41:58 GMT
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 39

reposId=28&searchWord=*

注入得到当前数据库名:
输入图片说明

此外,还有其他接口的like语句也未使用预编译。

Comments (2)

jyh_yyds created任务
jyh_yyds changed description
Expand operation logs

请问是把 searchWord 的内容改成 sql 语法吗?
我看你的截图里的searchWord只是改成*,是不是截图不完整?

#{} replace the '%${}%' to avoid the injection of sql command

Rainy changed issue state from 待办的 to 已完成

Sign in to comment

Status
Assignees
Milestones
Pull Requests
Successfully merging a pull request will close this issue.
Branches
Planed to start   -   Planed to end
-
Top level
Priority
参与者(2)
Java
1
https://gitee.com/RainyGao/DocSys.git
git@gitee.com:RainyGao/DocSys.git
RainyGao
DocSys
DocSys

Search

344bd9b3 5694891 D2dac590 5694891