Summary
A SQL injection vulnerability exists in the order() method of CrudOption.java that affects all 14 CRUD controllers in cool-admin-java. The order parameter from user HTTP requests is directly concatenated into the SQL ORDER BY clause without any whitelist validation. An authenticated attacker can exploit this to perform blind SQL injection, extract arbitrary data from the database.
Vulnerability Details
Affected Component
- File:
src/main/java/com/cool/core/request/CrudOption.java
- Method:
private void order(QueryWrapper queryWrapper, Class<T> entityClass)
- Lines: 203–224
Root Cause
The order parameter is obtained from user-controlled requestParams at line 216:
String order = requestParams.getStr("order",
tableAnnotation.camelToUnderline() ? "create_time" : "createTime");
It then undergoes only a cosmetic transformation (StrUtil.toUnderlineCase for camelCase-to-snake_case conversion) before being directly concatenated into a raw SQL fragment at line 220-222:
queryWrapper.orderBy(
tableAlias + (tableAnnotation.camelToUnderline() ? StrUtil.toUnderlineCase(order) : order),
sort.equals("asc"));
The MyBatis-Flex QueryWrapper.orderBy(String orderBy, boolean isAsc) overload treats its first argument as a raw SQL fragment — it is NOT parameterized. No whitelist map of allowed column names exists anywhere in the call chain.
Affected Endpoints (14 Controllers)
All controllers extending BaseController inherit the vulnerable /page and /list endpoints:
| # |
Controller |
Module |
Path Prefix |
| 1 |
AdminDictInfoController |
dict |
/admin/dict/info |
| 2 |
AdminDictTypeController |
dict |
/admin/dict/type |
| 3 |
AppDictInfoController |
dict |
/app/dict/info |
| 4 |
AdminUserInfoController |
user |
/admin/user/info |
| 5 |
AppUserAddressController |
user |
/app/user/address |
| 6 |
AdminTaskInfoController |
task |
/admin/task/info |
| 7 |
AdminRecycleDataController |
recycle |
/admin/recycle/data |
| 8 |
AdminSpaceTypeController |
space |
/admin/space/type |
| 9 |
AdminSpaceInfoController |
space |
/admin/space/info |
| 10 |
AdminBaseSysDepartmentController |
base |
/admin/base/sys/department |
| 11 |
AdminBaseSysLogController |
base |
/admin/base/sys/log |
| 12 |
AdminBaseSysUserController |
base |
/admin/base/sys/user |
| 13 |
AdminBaseSysParamController |
base |
/admin/base/sys/param |
| 14 |
AdminBaseSysRoleController |
base |
/admin/base/sys/role |
Proof of Concept (PoC)
POST /dev/admin/dict/type/page HTTP/1.1
Host: 192.168.0.5:9000
Authorization: <valid_jwt_token>
Content-Type: application/json
Origin: http://192.168.0.5:9000
Referer: http://192.168.0.5:9000/dict/list
{"order":"createTime","sort":"asc","page":1,"size":50,"keyWord":""}

Summary
A SQL injection vulnerability exists in the
order()method ofCrudOption.javathat affects all 14 CRUD controllers in cool-admin-java. Theorderparameter from user HTTP requests is directly concatenated into the SQLORDER BYclause without any whitelist validation. An authenticated attacker can exploit this to perform blind SQL injection, extract arbitrary data from the database.Vulnerability Details
Affected Component
src/main/java/com/cool/core/request/CrudOption.javaprivate void order(QueryWrapper queryWrapper, Class<T> entityClass)Root Cause
The
orderparameter is obtained from user-controlledrequestParamsat line 216:It then undergoes only a cosmetic transformation (
StrUtil.toUnderlineCasefor camelCase-to-snake_case conversion) before being directly concatenated into a raw SQL fragment at line 220-222:The MyBatis-Flex
QueryWrapper.orderBy(String orderBy, boolean isAsc)overload treats its first argument as a raw SQL fragment — it is NOT parameterized. No whitelist map of allowed column names exists anywhere in the call chain.Affected Endpoints (14 Controllers)
All controllers extending
BaseControllerinherit the vulnerable/pageand/listendpoints:/admin/dict/info/admin/dict/type/app/dict/info/admin/user/info/app/user/address/admin/task/info/admin/recycle/data/admin/space/type/admin/space/info/admin/base/sys/department/admin/base/sys/log/admin/base/sys/user/admin/base/sys/param/admin/base/sys/roleProof of Concept (PoC)