| タイトル | linlinjava litemall up to 1.8.0 Argument Injection |
|---|
| 説明 | A vulnerability was found in linlinjava litemall up to 1.8.0.(https://github.com/linlinjava/litemall )It has been classified as critical. Affected is the function backup/load of the file litemall-db/src/main/java/org/linlinjava/litemall/db/util/DbUtil.java. The manipulation of the argument db/password leads to argument injection.
The backup() function at line 13 constructs a command:
String command = "mysqldump -u" + user + " -p" + password + " --set-charset=utf8 " + db;
Process child = rt.exec(command);
Since Runtime.exec(String) splits by whitespace, an attacker can inject additional mysqldump arguments.
PoC 1 - Arbitrary file write via db parameter:
Setting db="litemall --result-file=/tmp/pwned.txt" causes mysqldump to write output to arbitrary path.
Verified on server (CentOS 7, Java 17, MySQL 8.0.45): file /tmp/pwned.txt was created successfully.
PoC 2 - Arbitrary file write via password parameter:
Setting password="test --result-file=/tmp/pwned2.txt" also works.
Verified on server: file /tmp/pwned2.txt was created.
Impact: Arbitrary file write leading to potential RCE via cron job injection (writing to /etc/cron.d/).
The load() function at line 33 has the same issue with the mysql command.
Suggested fix: Replace Runtime.exec(String) with ProcessBuilder using argument array:
ProcessBuilder pb = new ProcessBuilder("mysqldump", "-u" + user, "-p" + password, "--set-charset=utf8", db);
Reporter: berna ([email protected]) |
|---|
| ソース | ⚠️ https://gist.github.com/A1AAAAAAAAAA1/d5ae30a17744459e7cc5902fff32a35b |
|---|
| ユーザー | berna (UID 97558) |
|---|
| 送信 | 2026年04月23日 16:43 (1 月 ago) |
|---|
| モデレーション | 2026年05月17日 11:36 (24 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 364398 [linlinjava litemall 迄 1.8.0 Database Setting DbUtil.java backup/load db/password 特権昇格] |
|---|
| ポイント | 20 |
|---|