Skip to content

SQL Injection via ORDER BY Clause — Unvalidated User Input Concatenated into Dynamic SQL in CrudOption.order() #19

Description

@colind0pe

Summary

A SQL injection vulnerability exists in the order() method of CrudOption.java that affects all 14 CRUD controllers in cool-admin-java. The order parameter from user HTTP requests is directly concatenated into the SQL ORDER BY clause without any whitelist validation. An authenticated attacker can exploit this to perform blind SQL injection, extract arbitrary data from the database.

Vulnerability Details

Affected Component

  • File: src/main/java/com/cool/core/request/CrudOption.java
  • Method: private void order(QueryWrapper queryWrapper, Class<T> entityClass)
  • Lines: 203–224

Root Cause

The order parameter is obtained from user-controlled requestParams at line 216:

String order = requestParams.getStr("order",
        tableAnnotation.camelToUnderline() ? "create_time" : "createTime");

It then undergoes only a cosmetic transformation (StrUtil.toUnderlineCase for camelCase-to-snake_case conversion) before being directly concatenated into a raw SQL fragment at line 220-222:

queryWrapper.orderBy(
        tableAlias + (tableAnnotation.camelToUnderline() ? StrUtil.toUnderlineCase(order) : order),
        sort.equals("asc"));

The MyBatis-Flex QueryWrapper.orderBy(String orderBy, boolean isAsc) overload treats its first argument as a raw SQL fragment — it is NOT parameterized. No whitelist map of allowed column names exists anywhere in the call chain.

Affected Endpoints (14 Controllers)

All controllers extending BaseController inherit the vulnerable /page and /list endpoints:

# Controller Module Path Prefix
1 AdminDictInfoController dict /admin/dict/info
2 AdminDictTypeController dict /admin/dict/type
3 AppDictInfoController dict /app/dict/info
4 AdminUserInfoController user /admin/user/info
5 AppUserAddressController user /app/user/address
6 AdminTaskInfoController task /admin/task/info
7 AdminRecycleDataController recycle /admin/recycle/data
8 AdminSpaceTypeController space /admin/space/type
9 AdminSpaceInfoController space /admin/space/info
10 AdminBaseSysDepartmentController base /admin/base/sys/department
11 AdminBaseSysLogController base /admin/base/sys/log
12 AdminBaseSysUserController base /admin/base/sys/user
13 AdminBaseSysParamController base /admin/base/sys/param
14 AdminBaseSysRoleController base /admin/base/sys/role

Proof of Concept (PoC)

POST /dev/admin/dict/type/page HTTP/1.1
Host: 192.168.0.5:9000
Authorization: <valid_jwt_token>
Content-Type: application/json
Origin: http://192.168.0.5:9000
Referer: http://192.168.0.5:9000/dict/list

{"order":"createTime","sort":"asc","page":1,"size":50,"keyWord":""}
Image

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions