Lostvip-com Ruoyi-go SQL Injection Vulnerability in DictDataDao.go

A SQL injection vulnerability has been identified in the Ruoyi Background Management System (Golang version) developed by lostvip.com, affecting versions through 2.1. The issue arises in the 'SelectListByPage' function within 'modules/system/dao/DictDataDao.go'. The vulnerability allows for arbitrary SQL statements to be injected and executed, potentially leading to unauthorized data access or manipulation. This flaw can be exploited remotely, and the exploit is publicly available.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can manipulate SQL queries to access, modify, or delete database information. Such exploitation could also lead to bypassing authentication and authorization mechanisms, executing system commands, and causing denial-of-service conditions.

Reproduction

To reproduce this vulnerability, send a POST request to '/system/dict/data/list' with the 'orderByColumn' and 'isAsc' parameters manipulated to include malicious SQL payloads. The absence of proper input validation allows these SQL injections to be executed, demonstrating the vulnerability.

Remediation

It is recommended to implement strict validation for sorting parameters, limiting fields to a predefined list and only allowing 'asc' or 'desc' for sorting directions. Additionally, use secure sorting methods provided by the ORM framework to prevent direct concatenation of user-inputted sorting strings into SQL queries. Applying these measures can help mitigate the risk of SQL injection vulnerabilities.