312 Star 2K Fork 711

dromara / J2eeFAST

 / 详情

sql injection security problems(sql 注入)

Done
Opened this issue  
2021-03-16 21:18

Hello, I hava found that there two sql injetions in your program, So I create this issue to help you improve the security of program

first place: http://demo.j2eefast.com/fast/sys/role/list and the parameter is deptId
second place http://demo.j2eefast.com/fast/sys/role/authUser/list and the parameter is roleId

1.how I found this vulnerability?

in the mapper file: src/main/resources/mapper/sys/SysUserMapper.xml you use ${} join the sql statements.

${} in the sql statements

'${compId}' is may be vulnerable to sql injection. And then I look into the file src/main/java/com/j2eefast/framework/sys/service/SysUserService.java and found that you use String to make it a string type. this leads to the sql injection.
compId is a String type

2.how to reproduce?

  1. login with username 00008 and request people management function the request and response is:
    输入图片说明

the parameter compId is vulnerable to sql injection. use these sql statements I can get the databse info, when the case is true, the server will response the info while the false case will be null.

  1. 判断database name's length is 6;
    1'+or+length(database())=6+and+'1'='1

输入图片说明

  1. the first letter of database name is f

输入图片说明

  1. when the case is false, the info will be null.
    输入图片说明

  2. finally I found that the database name is fastdb.

3.how to repair?

  1. use #{} but ${}
  2. use type cast make compId a int type.

4.error info

输入图片说明

Comments (1)

juicy created任务
juicy set related repository to 周周/J2eeFAST
Expand operation logs
周周 changed issue state from 待办的 to 已完成
周周 added
 
BUG
label

Sign in to comment

Status
Assignees
Milestones
Pull Requests
Successfully merging a pull request will close this issue.
Branches
Planed to start   -   Planed to end
-
Top level
Priority
参与者(2)
1816537 zhouhuanogp 1584234850
Java
1
https://gitee.com/dromara/J2EEFAST.git
git@gitee.com:dromara/J2EEFAST.git
dromara
J2EEFAST
J2eeFAST

Search