Linlinjava Litemall SQL Injection Vulnerability in Admin Endpoint

A SQL injection vulnerability has been identified in Linlinjava Litemall versions through 1.8.0. The issue arises in multiple admin controller list endpoints, where the 'sort' and 'order' HTTP parameters are not properly sanitized before being used in SQL queries. This vulnerability allows for remote exploitation and has been publicly disclosed, with available proof-of-concept exploits.

Impact

Exploitation of this vulnerability allows for SQL injection, with the potential to extract sensitive data from the database, including admin password hashes. The vulnerability could also be exploited to manipulate database queries in a way that could lead to unauthorized data access or modification.

Reproduction

The vulnerability can be reproduced by sending a GET request to one of the affected admin list endpoints, such as '/admin/aftersale/list'. Include the 'sort' parameter with a crafted SQL injection payload, such as a boolean-based injection or an extraction payload using MySQL's 'extractvalue' function. The 'order' parameter can also be manipulated to further exploit the injection.

Remediation

To address this vulnerability, it is recommended to validate and sanitize the 'sort' and 'order' parameters in all affected admin controllers. Implement a whitelist of accepted values and ensure that user input is not directly concatenated into SQL queries. Additionally, consider using parameterized queries to prevent SQL injection.