| 标题 | linlinjava litemall up to 1.8.0 Argument Injection |
|---|
| 描述 | A vulnerability was found in linlinjava litemall up to 1.8.0.(https://github.com/linlinjava/litemall )It has been classified as critical. Affected is the function backup/load of the file litemall-db/src/main/java/org/linlinjava/litemall/db/util/DbUtil.java. The manipulation of the argument db/password leads to argument injection.
The backup() function at line 13 constructs a command:
String command = "mysqldump -u" + user + " -p" + password + " --set-charset=utf8 " + db;
Process child = rt.exec(command);
Since Runtime.exec(String) splits by whitespace, an attacker can inject additional mysqldump arguments.
PoC 1 - Arbitrary file write via db parameter:
Setting db="litemall --result-file=/tmp/pwned.txt" causes mysqldump to write output to arbitrary path.
Verified on server (CentOS 7, Java 17, MySQL 8.0.45): file /tmp/pwned.txt was created successfully.
PoC 2 - Arbitrary file write via password parameter:
Setting password="test --result-file=/tmp/pwned2.txt" also works.
Verified on server: file /tmp/pwned2.txt was created.
Impact: Arbitrary file write leading to potential RCE via cron job injection (writing to /etc/cron.d/).
The load() function at line 33 has the same issue with the mysql command.
Suggested fix: Replace Runtime.exec(String) with ProcessBuilder using argument array:
ProcessBuilder pb = new ProcessBuilder("mysqldump", "-u" + user, "-p" + password, "--set-charset=utf8", db);
Reporter: berna ([email protected]) |
|---|
| 来源 | ⚠️ https://gist.github.com/A1AAAAAAAAAA1/d5ae30a17744459e7cc5902fff32a35b |
|---|
| 用户 | berna (UID 97558) |
|---|
| 提交 | 2026-04-23 16時43分 (1 月前) |
|---|
| 管理 | 2026-05-17 11時36分 (24 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 364398 [linlinjava litemall 直到 1.8.0 Database Setting DbUtil.java backup/load db/password 权限提升] |
|---|
| 积分 | 20 |
|---|