Headline
CVE-2023-24221: sql inject 2 · Issue #23 · seagull1985/LuckyFrameWeb
LuckyframeWEB v3.5 was discovered to contain a SQL injection vulnerability via the dataScope parameter at /system/DeptMapper.xml.
src/main/resources/mybatis/system/DeptMapper.xml
There is a ${} in this mapper
Search selectDeptList to see where the this select id is used:
/DeptController.java
Query dept information:
Follow up the selectDeptList method to see the specific implementation:
/DeptServiceImpl.java
The parameters in the Dept are passed into the mapper for SQL operation. Because the datascope is controllable, the vulnerability is generated
Verification:
Splice URL and parameters according to code:
Use error injection to query the database version:
params[dataScope]=and+extractvalue(1,concat(0x7e,substring((select+version()),1,32),0x7e))
Select database name: