某ERP SupplierController.java 注入漏洞 – 作者:qq1654985095

漏洞位置：

F:\test\JSH_ERP\src\main\java\com\jsh\erp\controller\SupplierController.java

参数type 传入supplierService.findByAll,跟进findByAll

F:\test\JSH_ERP\src\main\java\com\jsh\erp\service\supplier\SupplierService.java

发现tyype传入supplierMapperEx.findByAll，findbbyall是接口

F:\test\JSH_ERP\src\main\java\com\jsh\erp\datasource\mappers\SupplierMapperEx.java

F:\test\JSH_ERP\src\main\resources\mapper_xml\SupplierMapperEx.xml

系统使用Mybatis,在SupplierMapperEx.xml,type使用$接受参数，导致注入

利用过程：

GET /supplier/exportExcel?browserType=Firefox&supplier=&type=%E5%AE%A2%E6%88%B7&phonenum=&telephone=&description= HTTP/1.1

Host: 127.0.0.1:8081

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3

Accept-Encoding: gzip, deflate

Referer: http://127.0.0.1:8081/pages/manage/customer.html

Cookie: _jspxcms=8ee2660c06584f17b8cf85961c0e8ad1; Hm_lvt_1cd9bcbaae133f03a6eb19da6579aaba=1613738333,1614580147; UM_distinctid=177bd9bc1842b-0a49273d26a4258-49594134-100200-177bd9bc1862b; CNZZDATA1271300655=172443026-1613793850-%7C1613806088; JSESSIONID=863581BA8A42548A120614EBE771F6C5; remember-me=YWRtaW46MTYxNTc3NjU2NDgxMzphOTUwYzY5MWRlZTJkYWY2YWNjYTE5NDFiNzY0OGM1Zg; XSRF-TOKEN=9e46680a-f1a2-41da-be1d-0bcefdae9ff7; Hm_lpvt_1cd9bcbaae133f03a6eb19da6579aaba=1614584328; Hm_lvt_104e825088869ff9c5855f24ab8204c2=1614580174; Hm_lpvt_104e825088869ff9c5855f24ab8204c2=1614581067

Connection: keep-alive

来源：freebuf.com 2021-03-15 14:44:54 by: qq1654985095