luckyframeweb3.5 sql inject 1

src/main/resources/mybatis/system/RoleMapper.xml

There is a ${} in this mapper

Search selectrolelist to see where the this select id is used：

src/main/java/com/luckyframe/project/system/role/controller/RoleController.java

Query role information：

Follow up the selectrolelist method to see the specific implementation：

src/main/java/com/luckyframe/project/system/role/service/RoleServiceImpl.java

The parameters in the role are passed into the mapper for SQL operation. Because the datascope is controllable, the vulnerability is generated

Verification:

Splice URL and parameters according to code:


http://127.0.0.1/system/role/list

params[dataScope]

Use error injection to query the database version：

1 2	`params[dataScope]=and+extractvalue(1,concat(0x7e,substring((select+version()),1,32),0x7e))`

Select database name:

代码审计

java代码审计

声明：
本文章用于学习交流，严禁用于非法操作，出现后果一切自行承担，阅读此文章表示你已同意本声明。

Disclaimer:
This article is for study and communication. It is strictly forbidden to use it for illegal operations. All consequences shall be borne by yourself. Reading this article means that you have agreed to this statement.

luckyframeweb3.5 sql inject 2 上一篇

Springboot devtools <=2.6.4 rce 下一篇