Headline
CVE-2023-24219: sql inject 3 · Issue #24 · seagull1985/LuckyFrameWeb
LuckyframeWEB v3.5 was discovered to contain a SQL injection vulnerability via the dataScope parameter at /system/UserMapper.xml.
src/main/resources/mybatis/system/UserMapper.xml
There is a ${} in this mapper
Search selectUserList to see where the this select id is used:
UserController.java
Query user information:
Follow up the selectUserList method to see the specific implementation:
UserServiceImpl.java
The parameters in the User are passed into the mapper for SQL operation. Because the datascope is controllable, the vulnerability is generated
Verification:
Splice URL and parameters according to code:
Use error injection to query the database version:
params[dataScope]=and+extractvalue(1,concat(0x7e,substring((select+version()),1,32),0x7e))
Select database name: