| Title | ghostxbh uzy-ssm-mall v1.0.0 SQL Injection |
|---|
| Description | Vulnerability Description
In the uzy-ssm-mall v1.0.0 version, the /mall/product/0/20 interface contains a high-risk SQL injection vulnerability. The root cause of this vulnerability lies in the code's failure to effectively filter data passed from the frontend, directly concatenating it into SQL statements. This allows attackers to manipulate database queries by constructing malicious inputs, potentially leading to the retrieval, modification, or deletion of sensitive information in the database.
Vulnerability Location
The vulnerability is located at the /mall/product/0/20 interface.
The specific call sequence is: ProductMapper --> ProductServiceImpl --> ForeProductListController.
Code Audit Process
Vulnerability File Path / File Name:
The vulnerability point is located in the order by statement, where the sorting field is passed from the frontend.
Vulnerability Call Sequence:
ProductMapper: The Mapper layer responsible for interacting with the database.
ProductServiceImpl: The business logic processing layer, which calls the Mapper layer for database operations.
ForeProductListController: The controller layer, which receives frontend requests and calls the Service layer for processing.
Vulnerability Code Analysis:
In ForeProductListController.java, the sorting field is directly passed from the frontend without any filtering or validation.
This field is directly concatenated into the SQL statement, resulting in an SQL injection vulnerability.
Vulnerability Exploitation:
Attackers can manipulate the order by statement by constructing malicious inputs, thereby executing arbitrary SQL queries.
POC
http(s)://target-ip/mall/product/0/20?category_id=151&isDesc=true&orderBy=%28select%2Afrom%28select%2Bsleep%280%29union%2F%2A%2A%2Fselect%2B1%29a%29 |
|---|
| Source | ⚠️ https://wiki.shikangsi.com/post/share/ba8925f0-0480-4356-9b32-4543d0ea8671 |
|---|
| User | XingYue_Mstir (UID 72225) |
|---|
| Submission | 04/02/2025 11:56 (1 Year ago) |
|---|
| Moderation | 04/14/2025 00:36 (12 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 304600 [ghostxbh uzy-ssm-mall 1.0.0 /mall/product/0/20 ForeProductListController orderBy sql injection] |
|---|
| Points | 20 |
|---|