Ref#
Vulnerables#
SQL Injection#
page.orderBy 注入#
注入点 1#
jeesite/src/main/webapp/WEB-INF/classes/mappings/modules/cms/GuestbookDao.xml
<select id="findList" resultType="Guestbook">
SELECT
<include refid="cmsGuestbookColumns"/>
FROM cms_guestbook a
<include refid="cmsGuestbookJoins"/>
<where>
a.del_flag = #{delFlag}
</where>
<choose>
<when test="page !=null and page.orderBy != null and page.orderBy != ''">
ORDER BY ${page.orderBy}
</when>
<otherwise>
ORDER BY a.create_date DESC
</otherwise>
</choose>
</select>反向寻找接口
com.thinkgem.jeesite.modules.cms.service.GuestbookService#findPagecom.thinkgem.jeesite.modules.cms.web.GuestbookController#list
@RequiresPermissions("cms:guestbook:view")
@RequestMapping(value = {"list", ""})
public String list(Guestbook guestbook, HttpServletRequest request, HttpServletResponse response, Model model) {
Page<Guestbook> page = guestbookService.findPage(new Page<Guestbook>(request, response), guestbook);
model.addAttribute("page", page);
return "modules/cms/guestbookList";
}接口几乎无校验
注入点 2#
jeesite/src/main/resources/mappings/modules/gen/GenTableDao.xml
<select id="findList" resultType="GenTable">
SELECT
<include refid="genTableColumns"/>
FROM gen_table a
<include refid="genTableJoins"/>
WHERE a.del_flag = #{DEL_FLAG_NORMAL}
<if test="name != null and name != ''">
AND a.name = #{name}
</if>
<if test="nameLike != null and nameLike != ''">
AND a.name LIKE
<if test="dbName == 'oracle'">'%'||#{nameLike}||'%'</if>
<if test="dbName == 'mssql'">'%'+#{nameLike}+'%'</if>
<if test="dbName == 'mysql'">concat('%',#{nameLike},'%')</if>
</if>
<if test="comments != null and comments != ''">
AND a.comments LIKE
<if test="dbName == 'oracle'">'%'||#{comments}||'%'</if>
<if test="dbName == 'mssql'">'%'+#{comments}+'%'</if>
<if test="dbName == 'mysql'">concat('%',#{comments},'%')</if>
</if>
<if test="parentTable != null and parentTable != ''">
AND a.parent_table = #{parentTable}
</if>
<choose>
<when test="page.orderBy != null and page.orderBy != ''">
ORDER BY ${page.orderBy}
</when>
<otherwise>
ORDER BY a.name ASC
</otherwise>
</choose>
</select>com.thinkgem.jeesite.common.persistence.CrudDao#findListcom.thinkgem.jeesite.modules.gen.service.GenTableService#findcom.thinkgem.jeesite.modules.gen.web.GenTableController#list
@RequiresPermissions("gen:genTable:view")
@RequestMapping(value = {"list", ""})
public String list(GenTable genTable, HttpServletRequest request, HttpServletResponse response, Model model) {
User user = UserUtils.getUser();
if (!user.isAdmin()){
genTable.setCreateBy(user);
}
Page<GenTable> page = genTableService.find(new Page<GenTable>(request, response), genTable);
model.addAttribute("page", page);
return "modules/gen/genTableList";
}依旧一路畅通
注入点 3#
jeesite/src/main/resources/mappings/modules/sys/UserDao.xml
<!-- 分页查询用户信息 -->
<select id="findList" resultType="User">
SELECT
<include refid="userColumns"/>
FROM sys_user a
<include refid="userJoins"/>
<if test="role != null and role.id != null and role.id != ''">
JOIN sys_user_role ur ON ur.user_id = a.id AND ur.role_id = #{role.id}
</if>
WHERE a.del_flag = #{DEL_FLAG_NORMAL}
<if test="company != null and company.id != null and company.id != ''">
AND (c.id = #{company.id} OR c.parent_ids LIKE
<if test="dbName == 'oracle'">'%,'||#{company.id}||',%')</if>
<if test="dbName == 'mssql'">'%,'+#{company.id}+',%')</if>
<if test="dbName == 'mysql'">CONCAT('%,', #{company.id}, ',%'))</if>
</if>
<if test="office != null and office.id != null and office.id != ''">
AND (o.id = #{office.id} OR o.parent_ids LIKE
<if test="dbName == 'oracle'">'%,'||#{office.id}||',%')</if>
<if test="dbName == 'mssql'">'%,'+#{office.id}+',%')</if>
<if test="dbName == 'mysql'">CONCAT('%,', #{office.id}, ',%'))</if>
</if>
<!-- 如果不是超级管理员,则不显示超级管理员用户 -->
<if test="!currentUser.admin">
AND a.id != '1'
</if>
<if test="loginName != null and loginName != ''">
AND a.login_name like
<if test="dbName == 'oracle'">'%'||#{loginName}||'%'</if>
<if test="dbName == 'mssql'">'%'+#{loginName}+'%'</if>
<if test="dbName == 'mysql'">CONCAT('%', #{loginName}, '%')</if>
</if>
<if test="name != null and name != ''">
AND a.name like
<if test="dbName == 'oracle'">'%'||#{name}||'%'</if>
<if test="dbName == 'mssql'">'%'+#{name}+'%'</if>
<if test="dbName == 'mysql'">CONCAT('%', #{name}, '%')</if>
</if>
<!-- 数据范围过滤 -->
${sqlMap.dsf}
<choose>
<when test="page !=null and page.orderBy != null and page.orderBy != ''">
ORDER BY ${page.orderBy}
</when>
<otherwise>
ORDER BY c.code, o.code, a.name
</otherwise>
</choose>
</select>反向查找引用
com.thinkgem.jeesite.common.persistence.CrudDao#findListcom.thinkgem.jeesite.modules.sys.service.SystemService#findUsercom.thinkgem.jeesite.modules.sys.web.UserController#listcom.thinkgem.jeesite.modules.sys.web.UserController#listDatacom.thinkgem.jeesite.modules.sys.web.UserController#exportFile
@RequiresPermissions("sys:user:view")
@RequestMapping(value = {"list", ""})
public String list(User user, HttpServletRequest request, HttpServletResponse response, Model model) {
Page<User> page = systemService.findUser(new Page<User>(request, response), user);
model.addAttribute("page", page);
return "modules/sys/userList";
}
@ResponseBody
@RequiresPermissions("sys:user:view")
@RequestMapping(value = {"listData"})
public Page<User> listData(User user, HttpServletRequest request, HttpServletResponse response, Model model) {
Page<User> page = systemService.findUser(new Page<User>(request, response), user);
return page;
}
@RequiresPermissions("sys:user:view")
@RequestMapping(value = "export", method=RequestMethod.POST)
public String exportFile(User user, HttpServletRequest request, HttpServletResponse response, RedirectAttributes redirectAttributes) {
try {
String fileName = "用户数据"+DateUtils.getDate("yyyyMMddHHmmss")+".xlsx";
Page<User> page = systemService.findUser(new Page<User>(request, response, -1), user);
new ExportExcel("用户数据", User.class).setDataList(page.getList()).write(response, fileName).dispose();
return null;
} catch (Exception e) {
addMessage(redirectAttributes, "导出用户失败!失败信息:"+e.getMessage());
}
return "redirect:" + adminPath + "/sys/user/list?repage";
}还是一路畅通