| タイトル | ghostxbh uzy-ssm-mall v1.0.0 SQL Injection |
|---|
| 説明 | Vulnerability Description
In the uzy-ssm-mall v1.0.0 version, the /mall/product/0/20 interface contains a high-risk SQL injection vulnerability. The root cause of this vulnerability lies in the code's failure to effectively filter data passed from the frontend, directly concatenating it into SQL statements. This allows attackers to manipulate database queries by constructing malicious inputs, potentially leading to the retrieval, modification, or deletion of sensitive information in the database.
Vulnerability Location
The vulnerability is located at the /mall/product/0/20 interface.
The specific call sequence is: ProductMapper --> ProductServiceImpl --> ForeProductListController.
Code Audit Process
Vulnerability File Path / File Name:
The vulnerability point is located in the order by statement, where the sorting field is passed from the frontend.
Vulnerability Call Sequence:
ProductMapper: The Mapper layer responsible for interacting with the database.
ProductServiceImpl: The business logic processing layer, which calls the Mapper layer for database operations.
ForeProductListController: The controller layer, which receives frontend requests and calls the Service layer for processing.
Vulnerability Code Analysis:
In ForeProductListController.java, the sorting field is directly passed from the frontend without any filtering or validation.
This field is directly concatenated into the SQL statement, resulting in an SQL injection vulnerability.
Vulnerability Exploitation:
Attackers can manipulate the order by statement by constructing malicious inputs, thereby executing arbitrary SQL queries.
POC
http(s)://target-ip/mall/product/0/20?category_id=151&isDesc=true&orderBy=%28select%2Afrom%28select%2Bsleep%280%29union%2F%2A%2A%2Fselect%2B1%29a%29 |
|---|
| ソース | ⚠️ https://wiki.shikangsi.com/post/share/ba8925f0-0480-4356-9b32-4543d0ea8671 |
|---|
| ユーザー | XingYue_Mstir (UID 72225) |
|---|
| 送信 | 2025年04月02日 11:56 (1 年 ago) |
|---|
| モデレーション | 2025年04月14日 00:36 (12 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 304600 [ghostxbh uzy-ssm-mall 1.0.0 /mall/product/0/20 ForeProductListController orderBy SQLインジェクション] |
|---|
| ポイント | 20 |
|---|