| 제목 | linlinjava litemall up to 1.8.0 Argument Injection |
|---|
| 설명 | A vulnerability was found in linlinjava litemall up to 1.8.0.(https://github.com/linlinjava/litemall )It has been classified as critical. Affected is the function backup/load of the file litemall-db/src/main/java/org/linlinjava/litemall/db/util/DbUtil.java. The manipulation of the argument db/password leads to argument injection.
The backup() function at line 13 constructs a command:
String command = "mysqldump -u" + user + " -p" + password + " --set-charset=utf8 " + db;
Process child = rt.exec(command);
Since Runtime.exec(String) splits by whitespace, an attacker can inject additional mysqldump arguments.
PoC 1 - Arbitrary file write via db parameter:
Setting db="litemall --result-file=/tmp/pwned.txt" causes mysqldump to write output to arbitrary path.
Verified on server (CentOS 7, Java 17, MySQL 8.0.45): file /tmp/pwned.txt was created successfully.
PoC 2 - Arbitrary file write via password parameter:
Setting password="test --result-file=/tmp/pwned2.txt" also works.
Verified on server: file /tmp/pwned2.txt was created.
Impact: Arbitrary file write leading to potential RCE via cron job injection (writing to /etc/cron.d/).
The load() function at line 33 has the same issue with the mysql command.
Suggested fix: Replace Runtime.exec(String) with ProcessBuilder using argument array:
ProcessBuilder pb = new ProcessBuilder("mysqldump", "-u" + user, "-p" + password, "--set-charset=utf8", db);
Reporter: berna ([email protected]) |
|---|
| 원천 | ⚠️ https://gist.github.com/A1AAAAAAAAAA1/d5ae30a17744459e7cc5902fff32a35b |
|---|
| 사용자 | berna (UID 97558) |
|---|
| 제출 | 2026. 04. 23. PM 04:43 (1 월 ago) |
|---|
| 모더레이션 | 2026. 05. 17. AM 11:36 (24 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 364398 [linlinjava litemall 까지 1.8.0 Database Setting DbUtil.java backup/load db/password 권한 상승] |
|---|
| 포인트들 | 20 |
|---|