YOSHOP 2.0 Unauthenticated SQL Injection Vulnerability Allowing Remote Code Execution

An unauthenticated SQL injection vulnerability has been identified in YOSHOP version 2.0, specifically within the 'goodsIds' parameter of the '/api/goods/listByIds' endpoint. The issue arises because the 'getListByIds' function improperly concatenates user input into a raw SQL query without adequate sanitization. This vulnerability allows attackers to enumerate or modify database information, such as dumping admin password hashes, and on MySQL servers with sufficient privileges, it could be exploited to execute remote code by writing web-shells or using 'xp_cmdshell'.

Impact

Exploitation of this vulnerability leads to blind SQL injection, allowing for unauthorized database access and manipulation. Additionally, it could result in remote code execution on affected servers with the right database permissions.

Reproduction

To reproduce this vulnerability, send a POST request to the '/api/goods/listByIds' endpoint with a JSON body that includes a crafted 'goodsIds' parameter. The injected SQL payload will be executed as part of the raw SQL query, demonstrating the SQL injection vulnerability. This can be verified by using payloads that exploit SQL injection, such as those that manipulate SQL query logic or introduce SQL commands that could be executed on the database.