1. Global search ${ found that ${orderUtil.orderBy} is used in mybatis/mapper/RewardMapper.xml:74 to concatenate parameters. Therefore, if we can control the parameters, SQL injection can be caused.
2. Find the select() method declaration in com/xq/tmall/dao/RewardMapper.java:17. You can control orderUtil.orderBy by passing parameters to orderUtil. Let's continue to look up to see where the select() method is called.
4. It can be clearly seen that we directly came to the controller layer and found that getList () was called in com/xq/tmall/controller/admin/RewardController.java:97. Therefore, as long as we can pass the corresponding parameters through HTTP, we can trigger the SQL injection vulnerability.
5. Follow up the OrderUtil class to analyze the code logic. You can see that orderUtil = new OrderUtil(orderBy, isDesc); will generate the parameter value orderUtil.orderBy we need, and the orderBy parameter is controllable by us, so at this time we can trigger the SQL injection vulnerability
6. Analysis found that as long as the URL contains /admin/login or /admin/account, the filter will not intercept the verification permission. There is an unauthorized access vulnerability here, which can directly access all backend interfaces without authorization.
7. Combined with the unauthorized access vulnerability in the filter, we can directly call the backend interface without authorization. Next, we construct a POC to directly trigger SQL injection through front-end access.
1. Global search ${ found that ${orderUtil.orderBy} is used in mybatis/mapper/RewardMapper.xml:74 to concatenate parameters. Therefore, if we can control the parameters, SQL injection can be caused.
2. Find the select() method declaration in com/xq/tmall/dao/RewardMapper.java:17. You can control orderUtil.orderBy by passing parameters to orderUtil. Let's continue to look up to see where the select() method is called.
4. It can be clearly seen that we directly came to the controller layer and found that getList () was called in com/xq/tmall/controller/admin/RewardController.java:97. Therefore, as long as we can pass the corresponding parameters through HTTP, we can trigger the SQL injection vulnerability.
5. Follow up the OrderUtil class to analyze the code logic. You can see that orderUtil = new OrderUtil(orderBy, isDesc); will generate the parameter value orderUtil.orderBy we need, and the orderBy parameter is controllable by us, so at this time we can trigger the SQL injection vulnerability
6. Analysis found that as long as the URL contains /admin/login or /admin/account, the filter will not intercept the verification permission. There is an unauthorized access vulnerability here, which can directly access all backend interfaces without authorization.
7. Combined with the unauthorized access vulnerability in the filter, we can directly call the backend interface without authorization. Next, we construct a POC to directly trigger SQL injection through front-end access.
