Liyupi Yu-Picture MyBatis-Plus SQL Injection Vulnerability

A SQL injection vulnerability has been identified in Liyupi Yu-Picture versions up to a053632c41340152bf75b66b3c543d129123d8ec. The issue arises in the PictureServiceImpl.java file, specifically within the PageRequest function. The vulnerability is caused by the sortField parameter being passed directly to the MyBatis-Plus orderBy() method without proper validation or parameterization. This flaw allows remote attackers to manipulate the SQL ORDER BY clause, leading to arbitrary data extraction from the database. The vulnerability is present in multiple endpoints that are accessible without authentication.

Impact

Exploitation of this vulnerability allows for time-based blind SQL injection, where an attacker can execute SQL commands that are not visible in the application's output but can be inferred based on the application's response time. This could be used to extract sensitive information from the database, such as user credentials or admin passwords.

Reproduction

To reproduce this vulnerability, send a POST request to the /api/picture/list/page/vo endpoint with a crafted sortField parameter that includes a SQL injection payload, such as a subquery that uses the SLEEP() function. The response will be delayed by the duration specified in the SLEEP() function, indicating that the injection was successful.

Remediation

A patch has been developed and is available as a pull request on the project's GitHub repository.