src/main/resources/mybatis/system/UserMapper.xml
There is a ${} in this mapper
Search selectUserList to see where the this select id is used:
UserController.java
Query user information:
Follow up the selectUserList method to see the specific implementation:
UserServiceImpl.java
The parameters in the User are passed into the mapper for SQL operation. Because the datascope is controllable, the vulnerability is generated
Verification:
Splice URL and parameters according to code:
Use error injection to query the database version:
params[dataScope]=and+extractvalue(1,concat(0x7e,substring((select+version()),1,32),0x7e))
Select database name:
src/main/resources/mybatis/system/UserMapper.xml
There is a ${} in this mapper
Search selectUserList to see where the this select id is used:
UserController.java
Query user information:
Follow up the selectUserList method to see the specific implementation:
UserServiceImpl.java
The parameters in the User are passed into the mapper for SQL operation. Because the datascope is controllable, the vulnerability is generated
Verification:
Splice URL and parameters according to code:
Use error injection to query the database version:
params[dataScope]=and+extractvalue(1,concat(0x7e,substring((select+version()),1,32),0x7e))Select database name:
