Lostvip-com Ruoyi-go SQL Injection Vulnerability in Background Management Component

A SQL injection vulnerability has been identified in Lostvip-com Ruoyi-go version 2.1. The issue arises in the Background Management Page, specifically within the 'SelectListPage' function of 'modules/system/dao/SysRoleDao.go'. The vulnerability allows remote exploitation by manipulating the 'sortName' parameter, leading to unauthorized SQL command execution. This flaw is exacerbated by the absence of input validation and parameter restrictions, enabling attackers to inject arbitrary SQL statements.

Impact

Exploitation of this vulnerability allows for SQL injection, where attackers can manipulate database queries. This could lead to unauthorized data access, data modification or deletion, and in some cases, executing administrative operations on the database.

Reproduction

To reproduce this vulnerability, send a POST request to '/system/role/list' with the 'sortName' parameter manipulated to include a malicious SQL payload. The absence of input validation on the 'sortName' parameter will allow the injected SQL to be executed, demonstrating the SQL injection vulnerability.

Remediation

It is recommended to implement strict validation for sorting parameters, allowing only predefined legitimate fields and restricting sorting directions to 'asc' or 'desc'. Additionally, use secure sorting methods provided by the ORM framework to prevent direct concatenation of user-input sorting strings into SQL statements.