CVE-2022-37202 nday 研究 sql

0x1 SQL 注入 CVE-2022-37202

描述

/admin/advicefeedback/list 参数处理不当,可被利用执行恶意SQL命令。

代码

java 复制代码
 public SQLUtils(String sql) {
        sqlBuffer = new StringBuffer(sql);
    }

tb_advice_feedback表下查询

java 复制代码
@ControllerBind(controllerKey = "/admin/advicefeedback")
public class AdvicefeedbackController extends BaseProjectController {

	private static final String path = "/pages/admin/advicefeedback/advicefeedback_";

	public void list() {
//这里自动获取
		TbAdviceFeedback model = getModelByAttr(TbAdviceFeedback.class);
//查询
		SQLUtils sql = new SQLUtils(" from tb_advice_feedback t where 1=1 ");
//某个条件
		if (model.getAttrValues().length != 0) {
//拼接t,存储进alias
			sql.setAlias("t");
// 查询条件,model.获取,代入
			sql.whereLike("username", model.getStr("username"));
			sql.whereLike("qq", model.getStr("qq"));
			sql.whereLike("email", model.getStr("email"));
			sql.whereLike("telphone", model.getStr("telphone"));
		}

// 排序
//怎么获取
		String orderBy = getBaseForm().getOrderBy();
//sql
		if (StrUtils.isEmpty(orderBy)) {
//尾部添加
			sql.append(" order by t.id desc ");
		} else {
//拼接
			sql.append(" order by ").append(orderBy);
		}

		Page<TbAdviceFeedback> page = TbAdviceFeedback.dao.paginate(getPaginator(), "select t.* ", //
				sql.toString().toString());

		// 下拉框
		setAttr("page", page);
		setAttr("attr", model);
		render(path + "list.html");
	}

String orderBy = getBaseForm().getOrderBy()

java 复制代码
	public BaseForm getBaseForm() {
		BaseForm form = super.getAttr("form");
		return form == null ? new BaseForm() : form;
	}
java 复制代码
public String getOrderBy() {
		if (StrUtils.isEmpty(getOrderColumn())) {
			return "";
		}
//返回字符串
		return " " + getOrderColumn() + " " + getOrderAsc() + " ";
	}

whereLike sql

java 复制代码
 private String alias = "";
public void setAlias(String alias) {
        this.alias = alias;
    }
java 复制代码
//键,值
public void whereLike(String attrName, String value) {
//过滤
        if (checkSQLInject(attrName) || checkSQLInject(value)) {
//返回正常字段
            return;
        }
//代入查询,值
 if (StrUtils.isNotEmpty(value)) {
//t拼接attrName
//append(value)可控
//模糊匹配value
            sqlBuffer.append(" AND " + getAttrName(attrName) + " LIKE '%").append(value).append("%'");
        }
    }
java 复制代码
    private String getAttrName(String attrName) {
        if (StrUtils.isEmpty(alias)) {
//返回attrName
            return attrName;
        }
//拼接
        return alias + "." + attrName;
    }
java 复制代码
//sql.setAlias("t");
private String alias = "";
java 复制代码
//建过滤
public static boolean checkSQLInject(String str) {
        // 如果传入空串则认为不存在非法字符
        if (StrUtils.isEmpty(str)) {
            return false;
        }

// 判断黑名单
        String[] blacks = {"script", "mid", "master", "truncate", "insert", "select", "delete", "update", "declare",
                "iframe", "'", "onreadystatechange", "alert", "atestu", "xss", ";", "'", "<", ">", "(", ")",
                // ",",, "\""
                "\\", "svg", "confirm", "prompt", "onload", "onmouseover", "onfocus", "onerror"};
        // 判断白名单
        String[] whites = {"updatetime", "update_time", "\""};

        // sql不区分大小写
        str = str.toLowerCase();
//2选1
//完整判断
        for (int i = 0; i < whites.length; i++) {
            if (whites[i].equals(str)) {
                return false;
            }
        }
//黑名单
        for (int i = 0; i < blacks.length; i++) {
//字符判断
            if (str.indexOf(blacks[i]) >= 0) {
//日志
                logger.error("SQLInject 原因:特殊字符,传入str=" + str + ",包含特殊字符:" + blacks[i]);
//检查到sql
                return true;
            }
        }
        return false;
    }
}
java 复制代码
//值过滤
public static boolean checkSQLInject(String str) {
        // 如果传入空串则认为不存在非法字符
        if (StrUtils.isEmpty(str)) {
            return false;
        }

        // 判断黑名单
//url绕过(post排除),/**/绕过,不安全过滤
        String[] blacks = {"script", "mid", "master", "truncate", "insert", "select", "delete", "update", "declare",
                "iframe", "'", "onreadystatechange", "alert", "atestu", "xss", ";", "'", "<", ">", "(", ")",
                // ",",, "\""
                "\\", "svg", "confirm", "prompt", "onload", "onmouseover", "onfocus", "onerror"};
        // 判断白名单
        String[] whites = {"updatetime", "update_time", "\""};

        // sql不区分大小写
        str = str.toLowerCase();
//判断是不是白名单,必须有字符
        for (int i = 0; i < whites.length; i++) {
            if (whites[i].equals(str)) {
                return false;
            }
        }
//报错
        for (int i = 0; i < blacks.length; i++) {
            if (str.indexOf(blacks[i]) >= 0) {
                logger.error("SQLInject 原因:特殊字符,传入str=" + str + ",包含特殊字符:" + blacks[i]);
                return true;
            }
        }
        return false;
    }
}
java 复制代码
public String getStr(String attr) {
		// return (String)attrs.get(attr);
		Object s = attrs.get(attr);
		return s != null ? s.toString() : null;
	}
java 复制代码
public V get(Object key) {
        Node<K,V> e;
        return (e = getNode(hash(key), key)) == null ? null : e.value;
    }

poc

其实思路很明显了,闭合',并且绕过过滤

为什么闭合单引号

sqlBuffer.append(" AND " + getAttrName(attrName) + " LIKE '%").append(value).append("%'")

实际拼接

AND name LIKE '%abc%'

重点

sqlBuffer.append(" AND " + getAttrName(attrName) + " LIKE '%").append(value).append("%'");

绕过

{"script", "mid", "master", "truncate", "insert", "select", "delete", "update", "declare",

"iframe", "'", "onreadystatechange", "alert", "atestu", "xss", ";", "'", "<", ">", "(", ")",

// ",",, "\""

"\\", "svg", "confirm", "prompt", "onload", "onmouseover", "onfocus", "onerror"};

验证

如果拼接过后是%%%,就会全部展现出来。

复现

这个功能,查询功能

刷新发现有默认

子页面保存,一次注入

相关推荐
Championship.23.245 小时前
Linux 3.0 锁机制与故障排查详解
linux·运维·服务器
天疆说6 小时前
Zotero Connector 在 Edge 里找不到桌面 Zotero(Linux / Zotero 9.0.6 / Edge 150)
linux·前端·edge
风123456789~7 小时前
【Linux专栏】ls 排除某个文件
linux·运维·服务器
IT曙光8 小时前
ubuntu apt-get离线源制作
linux·ubuntu
其实防守也摸鱼8 小时前
运维--学习阶段问题解答(1)(自测)
linux·运维·服务器·数据库·学习·自动化·命令模式
懒鸟一枚8 小时前
深入理解 Linux 内存、Swap 交换分区与分页机制的关系
java·linux·数据库
Darkwanderor10 小时前
对Linux的进程控制的研究
linux·运维·c++
XUHUOJUN10 小时前
Windows 2025架构深度分析之Stretch Cluster 延迟工程现实
windows·microsoft·架构·azure local
love530love11 小时前
将 ChatCut MCP 插件从 Codex 桌面应用移植到 WorkBuddy —— 完整适配实录
ide·人工智能·windows·视频剪辑·ai agent
works cart12 小时前
windows常用命令
windows