BUG_Author: R1ckyZ
Affected Version: dataCompare ≤ 1.0.1
Vendor: dromara
Software: dataCompare
Vulnerability Files:
src/main/java/com/vince/xq/project/tool/gen/controller/GenController.java
Description:
When executing a table creation SQL statement, the /createTable endpoint in GenController only checks whether the input is a MySqlCreateTableStatement but fails to properly sanitize or validate the table alias. This allows an attacker to inject malicious SQL payloads through the table alias, leading to SQL injection.
Proof of Concept:
- After logging in, access the API
/tool/gen/createTable and pass a statement vulnerable to SQL injection via POST parameters, as shown in the image below.
BUG_Author: R1ckyZ
Affected Version: dataCompare ≤ 1.0.1
Vendor: dromara
Software: dataCompare
Vulnerability Files:
src/main/java/com/vince/xq/project/tool/gen/controller/GenController.javaDescription:
When executing a table creation SQL statement, the
/createTableendpoint inGenControlleronly checks whether the input is aMySqlCreateTableStatementbut fails to properly sanitize or validate the table alias. This allows an attacker to inject malicious SQL payloads through the table alias, leading to SQL injection.Proof of Concept:
/tool/gen/createTableand pass a statement vulnerable to SQL injection via POST parameters, as shown in the image below.