Headline
CVE-2023-40771: DataEase has a SQL injection vulnerability that Not affected by SQL injection blacklists · Issue #5861 · dataease/dataease
SQL injection vulnerability in DataEase v.1.18.9 allows a remote attacker to obtain sensitive information via a crafted string outside of the blacklist function.
Impact
DataEase has a SQL injection vulnerability that Not affected by SQL injection blacklists
The SQL statement is located in the following file location, using the ${} symbol.
https://github.com/dataease/dataease/blob/dev/backend/src/main/java/io/dataease/ext/query/GridSql.xml
The SQL injection blacklist is as follows:
Pattern pattern = Pattern.compile("(.\=.\- \-.)|(.(\+).)|(.\w+(%|\$|#|&)\w+.)|(.\|\|.)|(.\s+(and|or)\s+.)" + "|(.\b(select|update|union|and|or|delete|insert|trancate|char|into|substr|ascii|declare|exec| count|master|into|drop|execute|sleep|extractvalue|updatexml|substring|database|concat|ra nd|gtid_subset)\b.*)"); Matcher matcher = pattern.matcher(orders.toLowerCase());
Not affected by SQL injection prevention at this location
So we can get the database data
Affected versions: <= 1.18.9
Related news
SQL injection vulnerability in DataEase v.1.18.9 allows a remote attacker to obtain sensitive information via a crafted string outside of the blacklist function.