Vulnerability Product:Pear Admin Boot
Vulnerability version:<=2.0.2
Vulnerability type:sql injection
Vulnerability Details：

1. First, in com/pearadmin/modules/sys/mapper/xml/SysDictDataMapper.xml, we found that ${} was used to pass in the three parameters of text, code, and table, so there was SQL injection. Now let's find out how to pass the parameters.
   

2. In com/pearadmin/modules/sys/mapper/SysDictDataMapper.java:62, we found the queryTableDictByKeys method declared. Now let’s find where this method is called again.
   

3. Find the method call in com/pearadmin/modules/sys/service/impl/SysDictDataServiceImpl.java:101, and then look up
   

4. Next, we found that the queryTableDictByKeys method was called in com/pearadmin/modules/sys/controller/SysDictDataController.java:127. The text, code, and table variables can be assigned values ​​through the /system/dictData/loadDictItem/{{dictCode}} interface, and the parameter values ​​are passed in through the path.
   

5. Finally, our payload is as follows

http://localhost:8088/system/dictData/loadDictItem/sys_user,user(),1?key=1