Shsuishang Modulithshop SQL Injection Vulnerability in ProductItemDao Interface

A SQL injection vulnerability has been identified in the Shsuishang Modulithshop application, specifically in the 'listItem' function of the 'ProductIndexServiceImpl.java' file. This vulnerability affects the 'sidx' and 'sort' parameters, allowing attackers to inject malicious SQL code that could be executed in the database. The issue arises from the direct interpolation of these parameters into the SQL ORDER BY clause without proper validation or sanitization. As a result, an attacker could exploit this vulnerability to extract sensitive information from the database, such as product details, user data, system configurations, and potentially administrative credentials. The vulnerability can be exploited remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can manipulate database queries to execute arbitrary SQL code. This could lead to unauthorized data access, such as extracting sensitive information from the database, including product data, user details, and administrative credentials. In some database configurations, it could also allow for data manipulation operations like INSERT, UPDATE, or DELETE.

Reproduction

To reproduce this vulnerability, send a GET request to the '/front/pt/product/listItem' endpoint with crafted 'sidx' and 'sort' parameters that exploit the SQL injection flaw. The 'sidx' parameter can be manipulated to inject SQL payloads, while the 'sort' parameter can be set to 'ASC' or 'DESC' to control the sorting order. The injection takes place in the ORDER BY clause of the SQL query, where the injected payload is executed by the database.

Remediation

A patch has been applied in commit '42bcb9463425d1be906c3b290cf29885eb5a2324' to address this vulnerability. Users should update to the latest version of Shsuishang Modulithshop to mitigate the SQL injection risk.