Lostvip-com Ruoyi-go SQL Injection Vulnerability in System Router Module

A SQL injection vulnerability has been identified in the Ruoyi Background Management System (Golang version) developed by Lostvip. This issue affects versions through 2.1 and is present in the 'SelectListByPage' function within the 'modules/system/system_router.go' file. The vulnerability arises from improper handling of the 'orderByColumn' and 'isAsc' parameters, allowing attackers to inject arbitrary SQL commands. This flaw can be exploited remotely, potentially leading to unauthorized data access, data manipulation or deletion, and other severe consequences.

Impact

Exploitation of this vulnerability allows for SQL injection, where attackers can execute arbitrary SQL commands. This could lead to unauthorized data access, data manipulation or deletion, and in some cases, executing system commands or bypassing authentication and authorization.

Reproduction

To reproduce this vulnerability, send a POST request to '/system/dict/list' with the 'orderByColumn' parameter manipulated to include a crafted SQL payload, such as a subquery that uses SQL functions like 'sleep()'. This exploits the application's lack of input validation and parameter sanitization, allowing the injection of malicious SQL that could be executed by the database.

Remediation

It is recommended to implement strict validation of input parameters, particularly for sorting and pagination. Use secure methods provided by the ORM framework to handle sorting, and establish range limits for pagination parameters to prevent abuse.