Ref#
Vulnerables#
SQL_INJECTION#
注入点 1#
jshERP-2.3/src/main/resources/mapper_xml/DepotHeadMapperEx.xml- 存在大量潜在注入点, 需要检查是否有参数注入, 下面只列举两个
<select id="findByAll" parameterType="com.jsh.erp.datasource.entities.DepotItemExample" resultMap="ResultWithInfoExMap">
select dh.number,m.`name` MName,m.model,m.standard,di.unit_price,di.oper_number,di.all_price,s.supplier SName,d.dName DName,
date_format(dh.oper_time, '%Y-%m-%d') OperTime, concat(dh.sub_type,dh.type) as NewType
from jsh_depot_head dh
inner join jsh_depot_item di on di.header_id=dh.id and ifnull(di.delete_flag,'0') !='1'
inner join jsh_material m on m.id=di.material_id and ifnull(m.delete_flag,'0') !='1'
inner join jsh_supplier s on s.id=dh.organ_id and ifnull(s.delete_Flag,'0') !='1'
inner join (select id,name as dName,delete_Flag from jsh_depot ) d on d.id=di.depot_id and ifnull(d.delete_Flag,'0') !='1'
where dh.oper_time >='${beginTime}' and dh.oper_time <='${endTime}'
<if test="oId != null">
and dh.organ_id = ${oId}
</if>
<if test="pid != null">
and di.depot_id = ${pid}
</if>
<if test="pid == null">
and di.depot_id in (${dids})
</if>
<if test="type != null">
and dh.type='${type}'
</if>
<if test="materialParam != null and materialParam !=''">
<bind name="bindKey" value="'%'+materialParam+'%'"/>
and (m.name like #{bindKey} or m.standard like #{bindKey} or m.model like #{bindKey})
</if>
and ifnull(dh.delete_flag,'0') !='1'
ORDER BY oper_time DESC,number desc
<if test="offset != null and rows != null">
limit #{offset},#{rows}
</if>
</select>
<select id="findByAllCount" resultType="java.lang.Integer">
select count(1)
from jsh_depot_head dh
inner join jsh_depot_item di on di.header_id=dh.id and ifnull(di.delete_flag,'0') !='1'
inner join jsh_material m on m.id=di.material_id and ifnull(m.delete_Flag,'0') !='1'
inner join jsh_supplier s on s.id=dh.organ_id and ifnull(s.delete_Flag,'0') !='1'
inner join (select id,name as dName,delete_Flag from jsh_depot) d on d.id=di.depot_id and ifnull(d.delete_Flag,'0') !='1'
where dh.oper_time >='${beginTime}' and dh.oper_time <='${endTime}'
<if test="oId != null">
and dh.organ_id = ${oId}
</if>
<if test="pid != null">
and di.depot_id = ${pid}
</if>
<if test="pid == null">
and di.depot_id in (${dids})
</if>
<if test="type != null">
and dh.type='${type}'
</if>
<if test="materialParam != null and materialParam !=''">
<bind name="bindKey" value="'%'+materialParam+'%'"/>
and (m.name like #{bindKey} or m.standard like #{bindKey} or m.model like #{bindKey})
</if>
and ifnull(dh.delete_flag,'0') !='1'
ORDER BY oper_time DESC,number desc
</select>反向寻找接口
com.jsh.erp.service.depotHead.DepotHeadService#findByAllcom.jsh.erp.controller.DepotHeadController#findInDetail
@GetMapping(value = "/findInDetail")
public BaseResponseInfo findInDetail(@RequestParam("currentPage") Integer currentPage,
@RequestParam("pageSize") Integer pageSize,
@RequestParam("organId") Integer oId,
@RequestParam("materialParam") String materialParam,
@RequestParam("projectId") Integer pid,
@RequestParam("depotIds") String dids,
@RequestParam("beginTime") String beginTime,
@RequestParam("endTime") String endTime,
@RequestParam("type") String type,
HttpServletRequest request)throws Exception {
BaseResponseInfo res = new BaseResponseInfo();
Map<String, Object> map = new HashMap<String, Object>();
try {
List<DepotHeadVo4InDetail> resList = new ArrayList<DepotHeadVo4InDetail>();
List<DepotHeadVo4InDetail> list = depotHeadService.findByAll(beginTime, endTime, type, materialParam, pid, dids, oId, (currentPage-1)*pageSize, pageSize);
int total = depotHeadService.findByAllCount(beginTime, endTime, type, materialParam, pid, dids, oId);
map.put("total", total);
//存放数据json数组
if (null != list) {
for (DepotHeadVo4InDetail dhd : list) {
resList.add(dhd);
}
}
map.put("rows", resList);
res.code = 200;
res.data = map;
} catch(Exception e){
e.printStackTrace();
res.code = 500;
res.data = "获取数据失败";
}
return res;
}注入点 2#
jshERP-2.3/src/main/resources/mapper_xml/MaterialMapperEx.xml- 同样大量潜在注入点, 需要检查是否有参数注入
<select id="selectByConditionMaterial" parameterType="com.jsh.erp.datasource.entities.MaterialExample" resultMap="ResultMapList">
select m.*,u.name unitName, mc.name categoryName, me.bar_code,
me.purchase_decimal, me.commodity_decimal, me.wholesale_decimal,me.low_decimal
FROM jsh_material m
left JOIN jsh_material_extend me on m.id = me.material_id and ifnull(me.delete_Flag,'0') !='1'
left JOIN jsh_unit u on m.unit_id = u.id and ifnull(u.delete_Flag,'0') !='1'
left JOIN jsh_material_category mc on m.category_id = mc.id and ifnull(mc.status,'0') !='2'
where 1=1
and me.default_flag=1
<if test="barCode != null">
and me.bar_code like '%${barCode}%'
</if>
<if test="name != null">
and m.name like '%${name}%'
</if>
<if test="standard != null">
and m.standard like '%${standard}%'
</if>
<if test="model != null">
and m.model like '%${model}%'
</if>
<if test="categoryIds != null">
and m.category_id in (${categoryIds})
</if>
and ifnull(m.delete_flag,'0') !='1'
order by m.id desc
<if test="offset != null and rows != null">
limit #{offset},#{rows}
</if>
</select>反向寻找接口
com.jsh.erp.datasource.mappers.MaterialMapperEx#selectByConditionMaterialcom.jsh.erp.service.material.MaterialService#selectcom.jsh.erp.service.material.MaterialComponent#getMaterialListcom.jsh.erp.service.material.MaterialComponent#selectcom.jsh.erp.service.CommonQueryManager#selectcom.jsh.erp.controller.ResourceController#getList
@GetMapping(value = "/{apiName}/list")
public String getList(@PathVariable("apiName") String apiName,
@RequestParam(value = Constants.PAGE_SIZE, required = false) Integer pageSize,
@RequestParam(value = Constants.CURRENT_PAGE, required = false) Integer currentPage,
@RequestParam(value = Constants.SEARCH, required = false) String search,
HttpServletRequest request)throws Exception {
Map<String, String> parameterMap = ParamUtils.requestToMap(request);
parameterMap.put(Constants.SEARCH, search);
PageQueryInfo queryInfo = new PageQueryInfo();
Map<String, Object> objectMap = new HashMap<String, Object>();
if (pageSize != null && pageSize <= 0) {
pageSize = 10;
}
String offset = ParamUtils.getPageOffset(currentPage, pageSize);
if (StringUtil.isNotEmpty(offset)) {
parameterMap.put(Constants.OFFSET, offset);
}
List<?> list = configResourceManager.select(apiName, parameterMap);
objectMap.put("page", queryInfo);
if (list == null) {
queryInfo.setRows(new ArrayList<Object>());
queryInfo.setTotal(BusinessConstants.DEFAULT_LIST_NULL_NUMBER);
return returnJson(objectMap, "查找不到数据", ErpInfo.OK.code);
}
queryInfo.setRows(list);
queryInfo.setTotal(configResourceManager.counts(apiName, parameterMap));
return returnJson(objectMap, ErpInfo.OK.name, ErpInfo.OK.code);
}注入点 n#
jshERP-2.3/src/main/resources/mapper_xml/AccountHeadMapperEx.xml- …… 大量 Mapper 中存在潜在注入点
FastJson Deserialization RCE#
jshERP-2.3/src/main/java/com/jsh/erp/utils/StringUtil.java
com.jsh.erp.utils.StringUtil#getInfo
public static String getInfo(String search, String key){
String value = "";
if(search!=null) {
JSONObject obj = JSONObject.parseObject(search);
value = obj.getString(key);
if(value.equals("")) {
value = null;
}
}
return value;
}反向可寻找到大量接口